On Sat, 28 Jun 2003 13:14:43 -0400 (EDT), Gerry Doris wrote > On Sat, 28 Jun 2003, Mike Vanecek wrote: > > > On Sat, 28 Jun 2003 14:53:41 +0200, Michael Schwendt wrote > > > > > On Sat, 28 Jun 2003 07:35:56 -0500, Mike Vanecek wrote: > > > > > > > I get the the below entries in my log on a periodic basis. > > > > > > > > As you can see, the client ip never seems to be the same. The uid is always > > > > anon. The password is always [EMAIL PROTECTED] Nothing is transfered. > > > > > > > > Anyone know what is going on with this? > > > > > > > > Other than turning off anon ftp, how could one setup a rule to drop these > > packets? > > > > > > > > Thanks. > > > > > > > > Tue Jun 3 20:54:10 2003 [pid 2876] [ftp] OK LOGIN: Client "80.116.190.28", > > > > anon password "[EMAIL PROTECTED]" > > > > Wed Jun 4 01:52:24 2003 [pid 3046] [ftp] OK LOGIN: Client "80.8.55.232", anon > > > > password "[EMAIL PROTECTED]" > > > > > > Have you tried searching Google for "[EMAIL PROTECTED]"? > > > It gives several results pointing to a tool called Grim's Ping > > > (http://grimsping.cjb.net/). > > > > Not for that pattern, but thank you for pointing it out. Very useful search. > > > > The prevention seems to be either a large set of entries in the hosts.deny > > file or putting [EMAIL PROTECTED] in the /etc/vsftpd.ftpusers file. I am > > trying the later since it would seem the hosts.deny file is not likely to > > catch them all, especially if proxies are being used. > > > > Weird world we live in. > > > > Thank you again. > > If you have a firewall then just block anything from home.com. If > you don't have a firewall then check out the Monmotha script. > > Is home.com still a valid host name? Didn't home.com go bankrupt a couple > of years ago? A host lookup on home.com failed.
Won't work since the password contains home.com rather than the ip address. I am blocking it by vsftpd's option to block sites by password. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
