Date: Fri, 26 Jan 2007 16:54:59 -0500 From: Peter Matulis <pmatulis@sympatico.ca> To: freebsd-questions@freebsd.org Cc: questions@freebsd.org, David Banning <david@skytracker.ca> Subject: Re: thwarting repeated login attempts Message-ID: <200701261654.59814.pmatulis@sympatico.ca> In-Reply-To: <45BA699F.3000006@daleco.biz> References: <20070126182013.GA10551@skytracker.ca> <20070126192012.GA30551@skytracker.ca> <45BA699F.3000006@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Vendredi 26 Janvier 2007 15:50, Kevin Kinsey a =E9crit=A0: > David Banning wrote: > >>> I have discovered a vulnerability, that is new to me. Denyhosts > >>> does not seem to notice FTP login attempts, so the cracker can > >>> attempt to login via FTP, 1000's of times until he finds a > >>> login/password combination. > >> > >> Pardon the stupid question, but I'm assuming it's necessary that > >> you run ftpd? We block ftpd at the firewall to any machines > >> outside the LAN. Anyone who needs FTP access uses a client that's > >> capable of using sftp instead, and logs in with their SSH > >> credentials. > > > > Hmm - interesting - I just -may- be able to disable using ftpd. > > > > But I still pose the same question - what do ftp servers do on > > this? Maybe -not- have ssh login? -or- maybe not have ssh login > > using the same login/password? > > I'm also interested; my version of the question is probably more > like, "is anyone in their right mind running ftpd over the WAN for > anything but an anonymous user"? [1] You can run OpenBSD's pf in combination with authpf. This mechanism=20 will alter firewall rules based on successful SSH logins.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701261654.59814.pmatulis>