Re: Testers wanted for krb5 / gssftpd graylisting changes

["D. Hugh Redelmeier" <hugh mimosa com>]

| From: Jeff Vian <jvian10 charter net>

| On Sat, 2006-06-24 at 12:57 -0600, Philip Prindeville wrote:

| > I got tired of people running FTP password attacks on my machine from
| > China, Korea, Thailand, etc. so I came up with the following change:

My ssh servers get similarly bothered.

| I would think that the better approach would be the ability to do the
| same in iptables which already exists and works well.  If the settings
| are not configurable by the administrator it can be a major pain.
| Multiple layers of security are better however.

My (naive) preference would be a PAM module.  The hammering I get is
at the authentication (login) stage and I hope everything taking
logins is PAMified.

I don't know if PAM can be stateful, so I don't know if it is actually
possible.

IPtables seems to me to be at too low a level.

Having said that, I have a script that I use to manually ban IP
addresses when they bother me:


    # ban an IP address.  Stupid hackers.
    # synopsis: ban-ip ip reason

    set -u

    ip=$1

    if ! expr match "$ip" '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null
    then
	    echo "$0: malformed IP address $ip"
	    exit 1
    fi

    echo "`date --iso-8601=minutes`: $*" >>~/BAN-LOG

    /sbin/iptables -I INPUT 1 -s "$ip" -j DROP