Jeff Vian wrote: >On Sat, 2006-06-24 at 12:57 -0600, Philip Prindeville wrote: > > >>Hi. >> >>I got tired of people running FTP password attacks on my machine from >>China, Korea, Thailand, etc. so I came up with the following change: the >>FTP server remembers when a single session (connection) that had 3 failed >>logins, and graylists that address for 60 seconds (configurable timeout, >>actually). If the user tries to reconnect again before that that >>timeout expires, >>the timeout gets restarted as another 120 seconds, etc. making the timeout >>longer and longer until it hits some maximum (such as 2 weeks). >> >>This at a minimum makes it a significantly more time-consuming attack on >>a machine (without it, I've seen 30 connections coming into my server >>trying 90 passwords per second)... >> >>The changes, since they use an external database, also handles having >>multiple simultaneous connections coming in parallel... and quickly >>scales up the graylist interval. >> >> >> >I would think that the better approach would be the ability to do the >same in iptables which already exists and works well. If the settings >are not configurable by the administrator it can be a major pain. >Multiple layers of security are better however. > > Point taken, unfortunately (or perhaps fortunately) krb5 runs on a *lot* of platforms, including FreeBSD, QNX, MacOS, Solaris, HP-UX, and a whole host of other SysV-based systems. It was the only solution that was easily ported and easily understood. Besides, if you're going to go the whole hog with iptables, you really need a standard mechanism (API) to integrate both logging and ACLs at the same time... so that other services like NFS, DNS, Samba, Sendmail, Cyrus, etc. could also support DoS attacks and do the right thing... It was a lightweight solution which has (at least for us) turned out to be remarkably efficient. -Philip >>I've attached the diffs to apply to the .spec file and in the to put into >>the SOURCES directory. I.e. >> >>