Date: Fri, 26 Jan 2007 14:50:39 -0600 From: Kevin Kinsey <kdk@daleco.biz> To: David Banning <david@skytracker.ca> Cc: questions@freebsd.org Subject: Re: thwarting repeated login attempts Message-ID: <45BA699F.3000006@daleco.biz> In-Reply-To: <20070126192012.GA30551@skytracker.ca> References: <20070126182013.GA10551@skytracker.ca> <45BA516A.7070402@daleco.biz> <20070126192012.GA30551@skytracker.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
David Banning wrote: >>> I have discovered a vulnerability, that is new to me. Denyhosts >>> does not seem to notice FTP login attempts, so the cracker can >>> attempt to login via FTP, 1000's of times until he finds a >>> login/password combination. >>> >> Pardon the stupid question, but I'm assuming it's necessary that you run >> ftpd? We block ftpd at the firewall to any machines outside the LAN. >> Anyone who needs FTP access uses a client that's capable of using sftp >> instead, and logs in with their SSH credentials. > > Hmm - interesting - I just -may- be able to disable using ftpd. > > But I still pose the same question - what do ftp servers do on this? > Maybe -not- have ssh login? -or- maybe not have ssh login using the > same login/password? I'm also interested; my version of the question is probably more like, "is anyone in their right mind running ftpd over the WAN for anything but an anonymous user"? [1] Note that I'm _not_ trying to be critical. However, in the current state of things [2], I don't see anything involving unencrypted authentication as valid for WAN(Internet) operations. Kevin Kinsey [1] Granted, other strategies might work; firewalling and/or tcpwrappers might work. [2] An interesting read - "The Internet Sucks" - http://www.macleans.ca/topstories/life/article.jsp?content=20061030_135406_135406 -- Computers will not be perfected until they can compute how much more than the estimate the job will cost.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45BA699F.3000006>