Delivered-To: moderator for incidentsat_private Date: Tue, 21 Aug 2001 10:34:48 +0000 From: Emil Popov <emoat_private> To: incidentsat_private Subject: Re: annoying ftp probes User-Agent: Mutt/1.2.5i In-Reply-To: <01082011103000.00977at_private>; from jcmat_private on Mon, Aug 20, 2001 at 11:10:30AM -0500 > Hello, > Is this a production ftp server , or just your personal machine ? I ask > because if it is only your machine, running sshd and ssh'n into the machine > and turning on your ftp server only when you need it. If it is a production > server , how large of a client base do you have ? Might it be easier to make > a hosts.allow , instead of denying every ftp scan you get ? As for what frp > scanner it might be, it could really be anything, as almost all ftp exploits > in the wild need anon+world writable dir to run their respective sploit. I > would also shy away from automating nmap's or DoS's to these hosts in your > logs, as they may be (and probably are) spoofed in some way or another. If we > could please have some more info on the purpose/use of your ftp server, Im > sure you would get more helpful and intellegent responses than the one I have > given you. Good Luck, > Ok, it's an FTP srv that is shared among some of my colegues, and is pretty useful, so i don't want to shut it down (not all of the people using it can use scp). Using hosts.allow seams reasonable, but there still are people that i trust, who connect from dial'up or other sorts of "floating IPs". About nmap'ing, I have been adding whole distant isp domains, that i am sure no friend of mine is using, but my main idea behind those scans is to learn as much as possible about those guys. I really doubt they are spoofing the addresses, Most of those kiddies, if they really are will be counting on the dynamic IP that their ISP assigns them and will think they are untraceble. Someone in the thread mentioned that those guys will start uploading files when they find a writable dir, and yes, in the past, i had accidently left such a dir, and they were able to upload some 350M movie until i killed the srv for a moment of inspection. Thanks to everyone, elpecially to those who pointed me to some software, I relly am more calm when I have examined the tools that others use against me. BTW. I use OpenBSD with the deafault ftpd, so i'm pretty confident when skript kiddies try their tools on it, but please if you think it's wrong, notify me, I MAY BE WRING. Thanks again to everyone Emil Popov ----- End forwarded message ----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 13:08:07 PDT