thwarting repeated login attempts
wmoran at collaborativefusion.com
Fri Jan 26 20:02:38 UTC 2007
In response to David Banning <david+dated+1170267615.a090fc at skytracker.ca>:
> I have installed denyhosts from the ports to stop ssh attacks, but
> I have discovered a vulnerability, that is new to me. Denyhosts
> does not seem to notice FTP login attempts, so the cracker can
> attempt to login via FTP, 1000's of times until he finds a
> login/password combination.
We refuse to run ftp because it's nearly impossible to secure.
> Once he has a login/password combo, he can simple login via ssh,
> (provided that user has a shell account).
Yeah, that's really bad. You can end up with the same problem if you
run smtp auth without tls.
> Is there anyway to block multiple FTP login attempts?
I'm sure there is, but why bother? It would actually be _easier_ for most
crooks to simply sniff the passwords right off the wire. If you really
think it's worthwhile, you can probably tweak denyhosts to properly
regex the ftp logs.
A better solution (assuming you can't ditch ftp, which would be the _best_
choice) would be to set up your ftpd so it has different passwords than
ssh/scp. There are a number of ftp servers out there capable of this.
Collaborative Fusion Inc.
More information about the freebsd-questions