Hi folks,
I run the bftp server, and since sometimes bad boys try to brake in scanning usernames/passwords I also run denyhosts daemon. It puts a suspicious IP address into /etc/hosts.deny after 5 attempts to login using unexciting username and so on. Today I've noticed that every few second somebody tries to login:
# tail /var/log/bftpd.log ..... Sun Oct 12 16:58:21 2008 /usr/sbin/bftpd[24254]: Incoming connection from 200.175.254.59. Sun Oct 12 16:58:21 2008 /usr/sbin/bftpd[24254]: Login as user 'Administrator' failed. Sun Oct 12 16:58:21 2008 /usr/sbin/bftpd[24254]: Quitting. Sun Oct 12 16:58:21 2008 /usr/sbin/bftpd[24260]: Incoming connection from 200.175.254.59. Sun Oct 12 16:58:22 2008 /usr/sbin/bftpd[24260]: Login as user 'Administrator' failed. Sun Oct 12 16:58:22 2008 /usr/sbin/bftpd[24260]: Quitting.
But the IP address is already blacklisted 4 days ago:
# grep 200.175.254.59 /etc/hosts.deny
# DenyHosts: Wed Oct 8 13:01:55 2008 | ALL: 200.175.254.59 ALL: 200.175.254.59
How it it can happen?
Thanks for ideas.
Sergey.
On Sun, 12 Oct 2008 20:58:12 -0400 "Daenyth Blank" daenyth+arch@gmail.com wrote:
How it it can happen?
Anything in /etc/hosts.allow?
No, it's empty. Besides that, I think, hosts.deny is of higher priority, isn't it?
Sergey
Maybe bftp doesn't use hosts.allow and deny files ? There's a setting called tcp_wrappers for vsftpd..
I guess there might be a setting for bftp too..
Alper KANAT tunix@raptiye.org
Sergey Manucharian yazmış:
On Sun, 12 Oct 2008 20:58:12 -0400 "Daenyth Blank" daenyth+arch@gmail.com wrote:
How it it can happen?
Anything in /etc/hosts.allow?
No, it's empty. Besides that, I think, hosts.deny is of higher priority, isn't it?
Sergey
Is ther any reason you are using bftp, instead of for example sftp?
-J
On Mon, Oct 13, 2008 at 1:01 PM, Alper KANAT tunix@raptiye.org wrote:
Maybe bftp doesn't use hosts.allow and deny files ? There's a setting called tcp_wrappers for vsftpd..
I guess there might be a setting for bftp too..
Alper KANAT tunix@raptiye.org
Sergey Manucharian yazmış:
On Sun, 12 Oct 2008 20:58:12 -0400 "Daenyth Blank" <daenyth+arch@gmail.com daenyth%2Barch@gmail.com>
wrote:
How it it can happen?
Anything in /etc/hosts.allow?
No, it's empty. Besides that, I think, hosts.deny is of higher priority, isn't it?
Sergey
On Mon, 13 Oct 2008 17:04:54 +0000 "Jon Kristian Nilsen" jokr.nilsen@gmail.com wrote:
Is ther any reason you are using bftp, instead of for example sftp?
Actually there is no specific reasons, it was installed 2 years ago, and now services a whole bunch of users with complex chroot directories structure. Maybe I'll replace bftp with something else anyway. The only strange thing for me that I believed that hosts.deny/allow files are system-wide and I can rely on them, but it's not so.
Sergey
On Mon, Oct 13, 2008 at 16:05, Sergey Manucharian sergeym@rmico.com wrote:
On Mon, 13 Oct 2008 17:04:54 +0000 "Jon Kristian Nilsen" jokr.nilsen@gmail.com wrote:
Is ther any reason you are using bftp, instead of for example sftp?
Actually there is no specific reasons, it was installed 2 years ago, and now services a whole bunch of users with complex chroot directories structure. Maybe I'll replace bftp with something else anyway. The only strange thing for me that I believed that hosts.deny/allow files are system-wide and I can rely on them, but it's not so.
Sergey
I had always thought that they were also, but maybe not... Anyway, I found this the other day, it might be helpful to you. http://www.itwire.com/content/view/13841/53/1/0/
Sergey Manucharian wrote:
On Mon, 13 Oct 2008 17:04:54 +0000 "Jon Kristian Nilsen" jokr.nilsen@gmail.com wrote:
Is ther any reason you are using bftp, instead of for example sftp?
Actually there is no specific reasons, it was installed 2 years ago, and now services a whole bunch of users with complex chroot directories structure. Maybe I'll replace bftp with something else anyway. The only strange thing for me that I believed that hosts.deny/allow files are system-wide and I can rely on them, but it's not so.
Sergey
hosts.allow & hosts.deny is only effective on programs that implement tcp_wrappers.
Glenn
IMO, the whole tcp_wrappers thingy is getting kinda silly. People call it a 'cleaner way of controlling/limiting connections'. I strongly disagree, in the sense that You actually have to implent it in the daemon you're using it against, in most cases breaking good socketing practice and protocol rules. (The socket is opened - and then closed immediately?) I know I'm going off topic, but I'm just wondering - Is there ANYTHING at all tcp_wrappers can do - that a well tuned firewall can't?
bjorn
-----Original Message----- From: arch-general-bounces@archlinux.org [mailto:arch-general-bounces@archlinux.org] On Behalf Of RedShift Sent: 14. oktober 2008 20:03 To: General Discusson about Arch Linux Subject: Re: [arch-general] bftp & denyhosts
Sergey Manucharian wrote:
On Mon, 13 Oct 2008 17:04:54 +0000 "Jon Kristian Nilsen" jokr.nilsen@gmail.com wrote:
Is ther any reason you are using bftp, instead of for example sftp?
Actually there is no specific reasons, it was installed 2
years ago,
and now services a whole bunch of users with complex chroot directories structure. Maybe I'll replace bftp with something else anyway. The only strange thing for me that I believed that hosts.deny/allow files are system-wide and I can rely on them, but it's not so.
Sergey
hosts.allow & hosts.deny is only effective on programs that implement tcp_wrappers.
Glenn
arch-general@lists.archlinux.org