[COLUG] FTP attacks
Pat Collins
pat at linuxcolumbus.com
Fri Jul 7 23:59:30 EDT 2006
On Fri, 07 Jul 2006 21:40:22 -0400, Steve Roggenkamp <roggenkamps at acm.org>
wrote :
> It looks like someone(s) is attempting to hack FTP servers from multiple
> IP addresses.
>
> The modus operandi is to make a connection to the FTP server then
> attempt to log in using a variety of user names and passwords. Normally
> they attempt 2283 passwords, then they may close the connection. At
> times they may attempt multiple user names using the same connection,
> keeping it open for long periods.
>
> I have missed this since the daily log summary only shows a few
> connections. I found it when diagnosing a problem for a user.
>
> The attackers are persistant, one IP address has almost two million
> attempts. When I do an nslookup on the IP, almost all come back with
> NXDOMAIN. Not surprising.
>
> It looks like these have been going on since late April, but it does not
> appear that any attempts have been successful. I'm still analyzing the
> logs.
>
Do you really need FTP open to the world? Limit access to it and you can
sleep at night.
Pat
More information about the colug432
mailing list