thwarting repeated login attempts

Bill Moran wmoran at
Fri Jan 26 20:02:38 UTC 2007

In response to David Banning <david+dated+1170267615.a090fc at>:

> I have installed denyhosts from the ports to stop ssh attacks, but
> I have discovered a vulnerability, that is new to me. Denyhosts
> does not seem to notice FTP login attempts, so the cracker can
> attempt to login via FTP, 1000's of times until he finds a
> login/password combination.

We refuse to run ftp because it's nearly impossible to secure.

> Once he has a login/password combo, he can simple login via ssh,
> (provided that user has a shell account).

Yeah, that's really bad.  You can end up with the same problem if you
run smtp auth without tls.

> Is there anyway to block multiple FTP login attempts?

I'm sure there is, but why bother?  It would actually be _easier_ for most
crooks to simply sniff the passwords right off the wire.  If you really
think it's worthwhile, you can probably tweak denyhosts to properly
regex the ftp logs.

A better solution (assuming you can't ditch ftp, which would be the _best_
choice) would be to set up your ftpd so it has different passwords than
ssh/scp.  There are a number of ftp servers out there capable of this.

Bill Moran
Collaborative Fusion Inc.

More information about the freebsd-questions mailing list