thwarting repeated login attempts
Kevin Kinsey
kdk at daleco.biz
Fri Jan 26 20:50:51 UTC 2007
David Banning wrote:
>>> I have discovered a vulnerability, that is new to me. Denyhosts
>>> does not seem to notice FTP login attempts, so the cracker can
>>> attempt to login via FTP, 1000's of times until he finds a
>>> login/password combination.
>>>
>> Pardon the stupid question, but I'm assuming it's necessary that you run
>> ftpd? We block ftpd at the firewall to any machines outside the LAN.
>> Anyone who needs FTP access uses a client that's capable of using sftp
>> instead, and logs in with their SSH credentials.
>
> Hmm - interesting - I just -may- be able to disable using ftpd.
>
> But I still pose the same question - what do ftp servers do on this?
> Maybe -not- have ssh login? -or- maybe not have ssh login using the
> same login/password?
I'm also interested; my version of the question is probably more like,
"is anyone in their right mind running ftpd over the WAN for anything
but an anonymous user"? [1]
Note that I'm _not_ trying to be critical. However, in the current
state of things [2], I don't see anything involving unencrypted
authentication as valid for WAN(Internet) operations.
Kevin Kinsey
[1] Granted, other strategies might work; firewalling and/or tcpwrappers
might work.
[2] An interesting read - "The Internet Sucks" -
http://www.macleans.ca/topstories/life/article.jsp?content=20061030_135406_135406
--
Computers will not be perfected until they can compute how much more
than the estimate the job will cost.
More information about the freebsd-questions
mailing list