MikeM wrote: > I moved my ftp services to a different port than 21. Now I > get no ftp scans at all. > > If you have a relatively closed community of users, this is a > good solution.
...and here's an exercise for interested (and careful) parties: Using an SSL-enabled webserver, write a bunch of PHP (or whatever scripting language you are most comfortable with) pages which do the following: (a) prompt for a login name and password. When validated, continue to (b) (b) make a note of which IP address the caller is coming from. (c) open a hole in an IPChains ruleset to allow FTP connection through from that IP address for a period. (d) after a timeout period, or when the end-user hits 'close' on the page, close the hole in the ruleset. I've used similar systems before myself. Whilst cumbersome it makes FTP (or other services, see below) very difficult for people to exploit or connect to. And because it's managed over an SSL connection, it's never cached (or shouldn't be) so it gets restricted to you personally. Obviously if you are sharing a single IP address via a NAT or masqueraded network, it can mean for the period of the opening the FTP server is visible to all the other people behind the same IP address, but it will cut down on scans. It can also be extended to any number of other services - the admin server or MySQL, for example. Note: I'm not offering to set this up for anyone! Also note: be careful not to chop your own legs off if you do start playing with IPChains. A cron entry every fifteen minutes to flush the chains is always a good bet whilst developing. Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
