On Thu, 2006-11-16 at 21:09 +0200, Alan McKinnon wrote:
> On Thursday 16 November 2006 20:29, Michael Sullivan wrote:
> > Can anyone tell me why I have about a hundred of these
> >
> > Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> > Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> > Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> > Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
> > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
> >
> > when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my
> > rules; I don't understand them:
>
> [snip]
>
> > 155 DROP all -- eth0 any 222.135.146.45
> > anywhere
>
> Some scipt kiddie is trying a brute force attack on your ftp port trying
> random combinations of user name and pasword every three seconds.
>
> 'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs
> to some maschine on network sdjnptt.net.cn and that turns out to be
> what looks like some chinese isp.
>
> So, a chinese person is trying to exploit your machine. Hey, it happens.
> And will happen for about the rest of your life. The solution is to
> drop them at the firewall, and the above rule is doing exactly that.
>
> This specific attack from this specific person at that specific address
> si no longer something you need to worry about :-)
>
>
> alan
>
So why do I get the hourly log reports (from logcheck) saying that this
IP is trying to access my FTP? How does vsftpd know about this if
they're being dropped at the firewall?
--
gentoo-user@gentoo.org mailing list
