From owner-freebsd-questions@FreeBSD.ORG Fri Jan 26 20:02:38 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7F87B16A402 for ; Fri, 26 Jan 2007 20:02:38 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 2E4D013C48C for ; Fri, 26 Jan 2007 20:02:38 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.pgh.priv.collaborativefusion.com (vanquish.pgh.priv.collaborativefusion.com [192.168.2.61]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Fri, 26 Jan 2007 15:02:37 -0500 id 00056428.45BA5E5D.0000AC0F Date: Fri, 26 Jan 2007 15:02:37 -0500 From: Bill Moran To: David Banning Message-Id: <20070126150237.e2192773.wmoran@collaborativefusion.com> In-Reply-To: <20070126182013.GA10551@skytracker.ca> References: <20070126182013.GA10551@skytracker.ca> Organization: Collaborative Fusion X-Mailer: Sylpheed 2.3.0 (GTK+ 2.10.7; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: questions@freebsd.org Subject: Re: thwarting repeated login attempts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jan 2007 20:02:38 -0000 In response to David Banning : > I have installed denyhosts from the ports to stop ssh attacks, but > I have discovered a vulnerability, that is new to me. Denyhosts > does not seem to notice FTP login attempts, so the cracker can > attempt to login via FTP, 1000's of times until he finds a > login/password combination. We refuse to run ftp because it's nearly impossible to secure. > Once he has a login/password combo, he can simple login via ssh, > (provided that user has a shell account). Yeah, that's really bad. You can end up with the same problem if you run smtp auth without tls. > Is there anyway to block multiple FTP login attempts? I'm sure there is, but why bother? It would actually be _easier_ for most crooks to simply sniff the passwords right off the wire. If you really think it's worthwhile, you can probably tweak denyhosts to properly regex the ftp logs. A better solution (assuming you can't ditch ftp, which would be the _best_ choice) would be to set up your ftpd so it has different passwords than ssh/scp. There are a number of ftp servers out there capable of this. -- Bill Moran Collaborative Fusion Inc.