Re: [SLUG] Blacklisting bad guys.

From: Chuck Hast (wchast@gmail.com)
Date: Fri Feb 02 2007 - 13:41:02 EST


On 2/2/07, Todd Patton <sail@acpdata.com> wrote:
> I run a vsftp server for several users and clients of my work and I keep
> getting hits for account "administrator" password <guess>. These usually
> happen all night long from Asia Pacific networks, until I get to work in
> the morning and add the ip-address to the firewall black list. This just
> annoys the hell out of me. Is there a way to automatically add an ip
> address to the host.deny file when someone tries to log into ftp using
> "administrator" as a user name? Any suggestions on automatically
> blacklisting these obvious scripts?
> --

I had the same sort of thing with ssh, one machine was getting so many
attempts that it would fill the auth.log up in just a matter of hours. I even
talked to the FBI about it (they took a lot of interest, asked for
logs and other
info and then after they had what they needed they told me to change the
port on the ssh server) After changing the port I have had no more problems
with that sort of thing. If your users are a small number of people you might
think about using a different port if you ftp server will allow you to change
the port it listens on.

-- 
Chuck Hast  -- KP4DJT --
To paraphrase my flight instructor;
"the only dumb question is the one you DID NOT ask resulting in my going
out and having to identify your bits and pieces in the midst of torn
and twisted metal."
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS).  Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:11:15 EDT