1 |
On Thursday 16 November 2006 20:29, Michael Sullivan wrote: |
2 |
> Can anyone tell me why I have about a hundred of these |
3 |
> |
4 |
> Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure; |
5 |
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
6 |
> Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure; |
7 |
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
8 |
> Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure; |
9 |
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
10 |
> Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure; |
11 |
> logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
12 |
> |
13 |
> when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my |
14 |
> rules; I don't understand them: |
15 |
|
16 |
[snip] |
17 |
|
18 |
> 1 55 DROP all -- eth0 any 222.135.146.45 |
19 |
> anywhere |
20 |
|
21 |
Some scipt kiddie is trying a brute force attack on your ftp port trying |
22 |
random combinations of user name and pasword every three seconds. |
23 |
|
24 |
'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs |
25 |
to some maschine on network sdjnptt.net.cn and that turns out to be |
26 |
what looks like some chinese isp. |
27 |
|
28 |
So, a chinese person is trying to exploit your machine. Hey, it happens. |
29 |
And will happen for about the rest of your life. The solution is to |
30 |
drop them at the firewall, and the above rule is doing exactly that. |
31 |
|
32 |
This specific attack from this specific person at that specific address |
33 |
si no longer something you need to worry about :-) |
34 |
|
35 |
|
36 |
alan |
37 |
|
38 |
-- |
39 |
gentoo-user@g.o mailing list |