1 |
On Thu, 2006-11-16 at 21:09 +0200, Alan McKinnon wrote: |
2 |
> On Thursday 16 November 2006 20:29, Michael Sullivan wrote: |
3 |
> > Can anyone tell me why I have about a hundred of these |
4 |
> > |
5 |
> > Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure; |
6 |
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
7 |
> > Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure; |
8 |
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
9 |
> > Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure; |
10 |
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
11 |
> > Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure; |
12 |
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 |
13 |
> > |
14 |
> > when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my |
15 |
> > rules; I don't understand them: |
16 |
> |
17 |
> [snip] |
18 |
> |
19 |
> > 1 55 DROP all -- eth0 any 222.135.146.45 |
20 |
> > anywhere |
21 |
> |
22 |
> Some scipt kiddie is trying a brute force attack on your ftp port trying |
23 |
> random combinations of user name and pasword every three seconds. |
24 |
> |
25 |
> 'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs |
26 |
> to some maschine on network sdjnptt.net.cn and that turns out to be |
27 |
> what looks like some chinese isp. |
28 |
> |
29 |
> So, a chinese person is trying to exploit your machine. Hey, it happens. |
30 |
> And will happen for about the rest of your life. The solution is to |
31 |
> drop them at the firewall, and the above rule is doing exactly that. |
32 |
> |
33 |
> This specific attack from this specific person at that specific address |
34 |
> si no longer something you need to worry about :-) |
35 |
> |
36 |
> |
37 |
> alan |
38 |
> |
39 |
|
40 |
So why do I get the hourly log reports (from logcheck) saying that this |
41 |
IP is trying to access my FTP? How does vsftpd know about this if |
42 |
they're being dropped at the firewall? |
43 |
|
44 |
-- |
45 |
gentoo-user@g.o mailing list |