Weblog entry #1 for chr0nik
See all weblog entries made by chr0nik.
#1
Why is a bot net attacking my lame site?
Posted by chr0nik on Fri 14 Apr 2006 at 04:32
I wrote an article about blockhosts. I thought that was the end of this. Apparently I didn't think or test well enough or both.
I know, I can solve this with denyhosts, iptables and other methods but I'd really like to fix the problem with the tools I have rather than moving on (again) because I can't make it work. I do that enough as it is with every other problem I run into... or I just give up. I'm a wannabe Linux admin at heart, but still little more than an eager, happy fool.
Some pest has been attacking me for months now trying to log in to vsftpd as Administrator. His IP always changes and it's always spoofed; I know this because I've done the minimal research required to associate phone numbers with IPs and called folks before. Now multiple machines attack me similarly yet enough to cause denial of service, all spoofed.
How does one make vsftpd very secure? When run through inetd, the same process stays running throughout the entire attack and only hits hosts.allow on the initial login attempt. When run standalone, it hangs after accepting a password as if its tcp wrappers implementation has issue with what I'm asking it to do.
Today, during a matter of hours, I thought maybe my Internet connection at home was down because the homestead was inaccessible from my office. Ha. ~10,000 failed login attempts from 3 machines during that time period. Neat.
I'll figure it out GD it.
I know, I can solve this with denyhosts, iptables and other methods but I'd really like to fix the problem with the tools I have rather than moving on (again) because I can't make it work. I do that enough as it is with every other problem I run into... or I just give up. I'm a wannabe Linux admin at heart, but still little more than an eager, happy fool.
Some pest has been attacking me for months now trying to log in to vsftpd as Administrator. His IP always changes and it's always spoofed; I know this because I've done the minimal research required to associate phone numbers with IPs and called folks before. Now multiple machines attack me similarly yet enough to cause denial of service, all spoofed.
How does one make vsftpd very secure? When run through inetd, the same process stays running throughout the entire attack and only hits hosts.allow on the initial login attempt. When run standalone, it hangs after accepting a password as if its tcp wrappers implementation has issue with what I'm asking it to do.
Today, during a matter of hours, I thought maybe my Internet connection at home was down because the homestead was inaccessible from my office. Ha. ~10,000 failed login attempts from 3 machines during that time period. Neat.
I'll figure it out GD it.
Comments on this Entry
Posted by Anonymous (60.248.xx.xx) on Fri 14 Apr 2006 at 05:17
maybe implementing a port-knocking scheme would be a solution? If your legitimate FTP users can swallow that...
[ Parent | Reply to this comment ]
Posted by Anonymous (213.164.xx.xx) on Fri 14 Apr 2006 at 10:26
Disable ftp access using iptables, but allow it from trusted ips.
[ Parent | Reply to this comment ]
fail2ban does vsftp as well -- or aren't they attempted logins?
It was discussed under ssh password guessing here before.
The Sid package works on Sarge for fail2ban ;)
It was discussed under ssh password guessing here before.
The Sid package works on Sarge for fail2ban ;)
[ Parent | Reply to this comment ]