Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Michael Sullivan <michael@××××××××××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] OT - ipkungfu perhaps not doing its job
Date: Thu, 16 Nov 2006 21:07:17
Message-Id: 1163710799.12502.99.camel@camille.espersunited.com
In Reply to: Re: [gentoo-user] OT - ipkungfu perhaps not doing its job by Alan McKinnon
1 On Thu, 2006-11-16 at 21:09 +0200, Alan McKinnon wrote:
2 > On Thursday 16 November 2006 20:29, Michael Sullivan wrote:
3 > > Can anyone tell me why I have about a hundred of these
4 > >
5 > > Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
6 > > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
7 > > Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
8 > > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
9 > > Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
10 > > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
11 > > Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
12 > > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
13 > >
14 > > when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my
15 > > rules; I don't understand them:
16 >
17 > [snip]
18 >
19 > > 1 55 DROP all -- eth0 any 222.135.146.45
20 > > anywhere
21 >
22 > Some scipt kiddie is trying a brute force attack on your ftp port trying
23 > random combinations of user name and pasword every three seconds.
24 >
25 > 'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs
26 > to some maschine on network sdjnptt.net.cn and that turns out to be
27 > what looks like some chinese isp.
28 >
29 > So, a chinese person is trying to exploit your machine. Hey, it happens.
30 > And will happen for about the rest of your life. The solution is to
31 > drop them at the firewall, and the above rule is doing exactly that.
32 >
33 > This specific attack from this specific person at that specific address
34 > si no longer something you need to worry about :-)
35 >
36 >
37 > alan
38 >
39
40 So why do I get the hourly log reports (from logcheck) saying that this
41 IP is trying to access my FTP? How does vsftpd know about this if
42 they're being dropped at the firewall?
43
44 --
45 gentoo-user@g.o mailing list
Report Message
Find on MARC Find on Google Groups