thwarting repeated login attempts

[Kevin Kinsey]

David Banning wrote:
>>> I have discovered a vulnerability, that is new to me. Denyhosts
>>> does not seem to notice FTP login attempts, so the cracker can
>>> attempt to login via FTP, 1000's of times until he finds a
>>> login/password combination.
>>>
>> Pardon the stupid question, but I'm assuming it's necessary that you run 
>> ftpd?  We block ftpd at the firewall to any machines outside the LAN. 
>> Anyone who needs FTP access uses a client that's capable of using sftp 
>> instead, and logs in with their SSH credentials.
> 
> Hmm - interesting - I just -may- be able to disable using ftpd.
> 
> But I still pose the same question - what do ftp servers do on this?
> Maybe -not- have ssh login? -or- maybe not have ssh login using the
> same login/password?

I'm also interested; my version of the question is probably more like,
"is anyone in their right mind running ftpd over the WAN for anything 
but an anonymous user"? [1]

Note that I'm _not_ trying to be critical.  However, in the current 
state of things [2], I don't see anything involving unencrypted 
authentication as valid for WAN(Internet) operations.


Kevin Kinsey

[1] Granted, other strategies might work; firewalling and/or tcpwrappers 
might work.

[2] An interesting read - "The Internet Sucks" - 
http://www.macleans.ca/topstories/life/article.jsp?content=20061030_135406_135406
-- 
Computers will not be perfected until they can compute how much more
than the estimate the job will cost.