ftp password guessing -one more reason to read your logs!

[faris]

I regularly go through the logs on our servers.

The other day something new came up. At least for us. It must be quite common though.

Essentially a trio of IP addresses have been trying to guess ftp usernames and passwords for hosting accounts.

This is more interesting than usual because they are specifically targetting domains on our servers, using usernames they think might be correct, based on the domain name (Hah! Wrong!).

Anyway, check your logs people! You never know what you might find.

Also I seem to remember that this type of thing is something that ASL will eventually detect and block in some future release - I'll look forward to that.

Faris.

[scott]

somewhat related here, the last psa-proftpd update adds in RBL support. Any chance your attackers were listed on any?

[faris]

No, they aren't in any of the usual rbls.

All three IPs were "unusual" in that all three were in what I call sub-assigned ranges. I don't know the real technical term for this. Basically when you do a lookup on the IP in DNSStuff or whatever, you don't get a page full of info on the IP. Instead you just get two links, one to a range of IPs including the one in question which is generally assigned to a big company, and then another link to another, smaller range, including the IP in question, assigned to (presumably) a smaller company.

Where are the rbls configured for ftp? I could do with an asl map in the wiki

I presume this isn't something that's been enabled by default yet?

Faris.

[scott]

Announcement on the proftp RBL support, it has an example config:

https://atomicrocketturtle.com/forum/vi ... f=8&t=3142

[faris]

Ah, it is still in -testing. OK.

Faris.