David Banning wrote:
I have discovered a vulnerability, that is new to me. Denyhosts
does not seem to notice FTP login attempts, so the cracker can
attempt to login via FTP, 1000's of times until he finds a
login/password combination.

Pardon the stupid question, but I'm assuming it's necessary that you run ftpd? We block ftpd at the firewall to any machines outside the LAN. Anyone who needs FTP access uses a client that's capable of using sftp instead, and logs in with their SSH credentials.

Hmm - interesting - I just -may- be able to disable using ftpd.

But I still pose the same question - what do ftp servers do on this?
Maybe -not- have ssh login? -or- maybe not have ssh login using the
same login/password?

I'm also interested; my version of the question is probably more like,
"is anyone in their right mind running ftpd over the WAN for anything but an anonymous user"? [1]

Note that I'm _not_ trying to be critical. However, in the current state of things [2], I don't see anything involving unencrypted authentication as valid for WAN(Internet) operations.

Kevin Kinsey

[1] Granted, other strategies might work; firewalling and/or tcpwrappers might work.

[2] An interesting read - "The Internet Sucks" - http://www.macleans.ca/topstories/life/article.jsp?content=20061030_135406_135406
Computers will not be perfected until they can compute how much more
than the estimate the job will cost.
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to