Testers wanted for krb5 / gssftpd graylisting changes
Jeff Vian
jvian10 at charter.net
Sat Jun 24 19:52:49 UTC 2006
On Sat, 2006-06-24 at 12:57 -0600, Philip Prindeville wrote:
> Hi.
>
> I got tired of people running FTP password attacks on my machine from
> China, Korea, Thailand, etc. so I came up with the following change: the
> FTP server remembers when a single session (connection) that had 3 failed
> logins, and graylists that address for 60 seconds (configurable timeout,
> actually). If the user tries to reconnect again before that that
> timeout expires,
> the timeout gets restarted as another 120 seconds, etc. making the timeout
> longer and longer until it hits some maximum (such as 2 weeks).
>
> This at a minimum makes it a significantly more time-consuming attack on
> a machine (without it, I've seen 30 connections coming into my server
> trying 90 passwords per second)...
>
> The changes, since they use an external database, also handles having
> multiple simultaneous connections coming in parallel... and quickly
> scales up the graylist interval.
>
I would think that the better approach would be the ability to do the
same in iptables which already exists and works well. If the settings
are not configurable by the administrator it can be a major pain.
Multiple layers of security are better however.
> I've attached the diffs to apply to the .spec file and in the to put into
> the SOURCES directory. I.e.
More information about the fedora-list
mailing list