On Thursday 16 November 2006 20:29, Michael Sullivan wrote: > Can anyone tell me why I have about a hundred of these > > Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 > Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 > Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 > Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 > > when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my > rules; I don't understand them:
[snip] > 1 55 DROP all -- eth0 any 222.135.146.45 > anywhere Some scipt kiddie is trying a brute force attack on your ftp port trying random combinations of user name and pasword every three seconds. 'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs to some maschine on network sdjnptt.net.cn and that turns out to be what looks like some chinese isp. So, a chinese person is trying to exploit your machine. Hey, it happens. And will happen for about the rest of your life. The solution is to drop them at the firewall, and the above rule is doing exactly that. This specific attack from this specific person at that specific address si no longer something you need to worry about :-) alan -- gentoo-user@gentoo.org mailing list