| 1 |
On Thursday 16 November 2006 20:29, Michael Sullivan wrote: |
| 2 |
> Can anyone tell me why I have about a hundred of these |
| 3 |
> |
| 4 |
> Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure; |
| 5 |
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
| 6 |
> Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure; |
| 7 |
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
| 8 |
> Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure; |
| 9 |
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
| 10 |
> Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure; |
| 11 |
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
| 12 |
> |
| 13 |
> when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my |
| 14 |
> rules; I don't understand them: |
| 15 |
|
| 16 |
[snip] |
| 17 |
|
| 18 |
> 1 55 DROP all -- eth0 any 222.135.146.45 |
| 19 |
> anywhere |
| 20 |
|
| 21 |
Some scipt kiddie is trying a brute force attack on your ftp port trying |
| 22 |
random combinations of user name and pasword every three seconds. |
| 23 |
|
| 24 |
'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs |
| 25 |
to some maschine on network sdjnptt.net.cn and that turns out to be |
| 26 |
what looks like some chinese isp. |
| 27 |
|
| 28 |
So, a chinese person is trying to exploit your machine. Hey, it happens. |
| 29 |
And will happen for about the rest of your life. The solution is to |
| 30 |
drop them at the firewall, and the above rule is doing exactly that. |
| 31 |
|
| 32 |
This specific attack from this specific person at that specific address |
| 33 |
si no longer something you need to worry about :-) |
| 34 |
|
| 35 |
|
| 36 |
alan |
| 37 |
|
| 38 |
-- |
| 39 |
gentoo-user@g.o mailing list |
Archives