Re: [cobalt-users] ProFTP security probs?

[Seth Mos <knuffie@xxxxxxxxx>]

At 11:09 PM 8/21/00 -0700, you wrote:
> We have a Raq3i.  After installing the OS updates this last weekend
> everything is running ok.
>
> But now, all kinds of people are tryin to hack into the server (or so I
> think) via proftp.  Ill paste a couple of selections from the log:
>
> Aug 21 11:56:13 www sshd[27400]: log: Connection from
> 206.133.213.239 port 4723
> Aug 21 11:56:13 www sshd[27400]: log: reverse mapping checking
> gethostbyname for sdn-ar-002cavictp333.dialsprint.net failed -
> POSSIBLE BREAKIN ATTEMPT!
>
> and many like the following:
>
> Aug 21 02:31:03 www proftpd[15852]: 216.122.146.91
> (1Cust101.tnt1.bellingham.wa.da.uu.net[63.28.105.101]) - FTP
> session closed.
> Aug 21 02:31:25 www proftpd[15877]: 216.122.146.91
> (1Cust101.tnt1.bellingham.wa.da.uu.net[63.28.105.101]) - USER
> anonymous (Login failed): Can't find user.
> Aug 21 02:31:26 www proftpd[15877]: 216.122.146.91
> (1Cust101.tnt1.bellingham.wa.da.uu.net[63.28.105.101]) - FTP
> session closed.
> Aug 21 02:31:57 www proftpd[15878]: 216.122.146.91
> (1Cust101.tnt1.bellingham.wa.da.uu.net[63.28.105.101]) - USER
> anonymous (Login failed): Can't find user
>
> Are a bunch of script kiddies tryin to hack my server?  Is there
> anyone who could look at the entire log and possibly tell me what
> security messages I need? (log is 450K)

They are trying to brute force their way into a user account.
The previous version of proftpd is rootable to my knowledge (not the one in 
the update).

Put the offending domain in /etc/hosts.deny

ALL: .subdomain.domain.com

Then the will be disconnected as soon as tcp wrapper does a reverse lookup.
It also prevents logins on your server from those domains.
It also works with IP addresses.


--
Seth
"Have you gone mad?"
"Well, yes, but that's beyond the scope of this email."