[H-GEN] FTP login by wtmp?

Martin Pool martinp at mincom.com
Sun Aug 15 21:12:41 EDT 1999


[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related[1] topics. ]

From: Marshall, Joshua <MarshallJ at switch.aust.com>

> Is this actually possible?  Well it happened here.
>
> Aug 12 19:27:27 server1 ftpd[8312]: FTP LOGIN FROM
p59-max12.chc.ihug.co.nz
> [209.79.136.187], wtmp
> Aug 12 19:29:41 server1 ftpd[8346]: FTP session closed

Depending on what's in the other log files it probably means somebody opened
a socket but did nothing: you may have just been scanned and no more.

> How can I stop this?

a. Don't run ftpd unless you need it: see if you can use sshd instead.  Do a

  shaved$ netstat -tau

to see which ports are open (in the LISTEN state), and think about whether
you need to run them or not.

b. Tell ipfw or ipchains to deny all but the machines who're allowed to
connect.
c. Ditto for hosts.allow, inetd, xinetd, tcpd and so on.

That should get you started, and somebody else stopped,

--
Martin

I think it's fair to regard the whole of software development since
the 1950s as a social experiment - with some major results due back at
the end of this year as I remember.
   -- Richard Drake



--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.
[1] Just for Jason.



More information about the General mailing list