I have installed the VSFTP and i have comment all the anonymus section. However searching the vsftp.log i discovered that some ip tried and logon to my system as USER anonymus with no password and USER ftp with no password. However, these accounts leads to nowhere with no right, it quite dangerous for me. Please i want your help to harden my security. Thanks in advance.
However searching the vsftp.log i discovered that some ip tried and logon to my system as USER anonymus with no password and USER ftp with no password. However, these accounts leads to nowhere with no right, it quite dangerous for me.
Short of disabling the FTP server altogether, which I assume you don't want to do, there's not a lot you can do to prevent people trying to login anonymously. That doesn't mean they'll be successful of course :) If you know that legitimate FTP connections are only going to come from certain places, or are definitely /not/ going to come from certain places, you can use TCP wrappers to allow and deny access. By default vsftpd runs from [x]inetd, I don't know about xinetd, but inetd will be setup to use tcpd. Read man hosts.allow and man hosts.deny to see how to craft allow and deny rules. -- James Ogley, Webmaster, Rubber Turnip james@rubberturnip.org.uk http://www.rubberturnip.org.uk Jabber: riggwelter@myjabber.net Using Free Software since 1994, running GNU/Linux (SuSE 9.0) GNOME updates for SuSE: http://www.usr-local-bin.org
I run the vsftpd as stand alone because i dont know how to start it through the xinetd. Well, do you know to apply the wrappers for my vsftpd? I want to legitimate the logins and to be honest i only receive requests from a specific ip. ----- Original Message ----- From: "James Ogley" <james@usr-local-bin.org> To: "SuSE List" <suse-linux-e@suse.com> Sent: Wednesday, March 24, 2004 11:28 AM Subject: Re: [SLE] Vsftp and anonymus login
However searching the vsftp.log i discovered that some ip tried and logon to my system as USER anonymus with no password and USER ftp with no password. However, these accounts leads to nowhere with no right, it quite dangerous for me.
Short of disabling the FTP server altogether, which I assume you don't want to do, there's not a lot you can do to prevent people trying to login anonymously. That doesn't mean they'll be successful of course :)
If you know that legitimate FTP connections are only going to come from certain places, or are definitely /not/ going to come from certain places, you can use TCP wrappers to allow and deny access. By default vsftpd runs from [x]inetd, I don't know about xinetd, but inetd will be setup to use tcpd. Read man hosts.allow and man hosts.deny to see how to craft allow and deny rules. -- James Ogley, Webmaster, Rubber Turnip james@rubberturnip.org.uk http://www.rubberturnip.org.uk Jabber: riggwelter@myjabber.net Using Free Software since 1994, running GNU/Linux (SuSE 9.0) GNOME updates for SuSE: http://www.usr-local-bin.org
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
John wrote:
I run the vsftpd as stand alone because i dont know how to start it through the xinetd.
cat /etc/xinetd.d/vsftpd # default: off # description: # The vsftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication. # vsftpd is designed to be secure. service ftp { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/vsftpd # server_args = # log_on_success += DURATION USERID # log_on_failure += USERID # nice = 10 disable = no } HTH, Martin
John wrote:
I run the vsftpd as stand alone because i dont know how to start it
Allright, and how to use the wrapper for the vsftpd now? ----- Original Message ----- From: "Martin Mielke" <martin.mielke@thales-is.com> To: "John" <isofroni@cc.uoi.gr> Cc: "SuSE List" <suse-linux-e@suse.com> Sent: Wednesday, March 24, 2004 12:29 PM Subject: Re: [SLE] Vsftp and anonymus login through
the xinetd.
cat /etc/xinetd.d/vsftpd # default: off # description: # The vsftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication. # vsftpd is designed to be secure. service ftp { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/vsftpd # server_args = # log_on_success += DURATION USERID # log_on_failure += USERID # nice = 10 disable = no }
HTH, Martin
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Hi, John wrote:
Allright, and how to use the wrapper for the vsftpd now?
Well, tcpd is tailored by those two files already mentioned: /etc/hosts.allow ALL: 1.2.3.4,9.10.11.12 (these should be *real* IP addresses) /etc/hosts.deny ALL: ALL: /usr/bin/mailx -s "%d: connection attempt from %c" root@your-domain Also take a look at the proper man pages for further info. HTH, Martin
----- Original Message ----- From: "Martin Mielke" <martin.mielke@thales-is.com> To: "John" <isofroni@cc.uoi.gr> Cc: "SuSE List" <suse-linux-e@suse.com> Sent: Wednesday, March 24, 2004 12:29 PM Subject: Re: [SLE] Vsftp and anonymus login
John wrote:
I run the vsftpd as stand alone because i dont know how to start it
through
the xinetd.
cat /etc/xinetd.d/vsftpd # default: off # description: # The vsftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication. # vsftpd is designed to be secure. service ftp { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/vsftpd # server_args = # log_on_success += DURATION USERID # log_on_failure += USERID # nice = 10 disable = no }
HTH, Martin
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
What does the ALL@MyIP is for in the tcpwraper files (allow & deny) I mean the ALL only :) ----- Original Message ----- From: "Martin Mielke" <martin.mielke@thales-is.com> To: "Suse" <suse-linux-e@suse.com> Sent: Wednesday, March 24, 2004 2:04 PM Subject: Re: [SLE] Vsftp and anonymus login
Hi,
John wrote:
Allright, and how to use the wrapper for the vsftpd now?
Well, tcpd is tailored by those two files already mentioned:
/etc/hosts.allow
ALL: 1.2.3.4,9.10.11.12 (these should be *real* IP addresses)
/etc/hosts.deny
ALL: ALL: /usr/bin/mailx -s "%d: connection attempt from %c" root@your-domain
Also take a look at the proper man pages for further info.
HTH, Martin
----- Original Message ----- From: "Martin Mielke" <martin.mielke@thales-is.com> To: "John" <isofroni@cc.uoi.gr> Cc: "SuSE List" <suse-linux-e@suse.com> Sent: Wednesday, March 24, 2004 12:29 PM Subject: Re: [SLE] Vsftp and anonymus login
John wrote:
I run the vsftpd as stand alone because i dont know how to start it
through
the xinetd.
cat /etc/xinetd.d/vsftpd # default: off # description: # The vsftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication. # vsftpd is designed to be secure. service ftp { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/vsftpd # server_args = # log_on_success += DURATION USERID # log_on_failure += USERID # nice = 10 disable = no }
HTH, Martin
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
John, RTFM!!! Look in /usr/share/doc/packages/tcpd for more documentation on this issue. There's a README that explains it all. Some links you can find doing a simple search on google.com: http://www.clug.org/presentations/security/tcpwrappers.html This is for RedHat, but should apply to SuSE as well: http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/ch-tcpwrap... Regards, Martin John wrote:
What does the ALL@MyIP is for in the tcpwraper files (allow & deny)
I mean the ALL only :)
----- Original Message ----- From: "Martin Mielke" <martin.mielke@thales-is.com> To: "Suse" <suse-linux-e@suse.com> Sent: Wednesday, March 24, 2004 2:04 PM Subject: Re: [SLE] Vsftp and anonymus login
Hi,
John wrote:
Allright, and how to use the wrapper for the vsftpd now?
Well, tcpd is tailored by those two files already mentioned:
/etc/hosts.allow
ALL: 1.2.3.4,9.10.11.12 (these should be *real* IP addresses)
/etc/hosts.deny
ALL: ALL: /usr/bin/mailx -s "%d: connection attempt from %c" root@your-domain
Also take a look at the proper man pages for further info.
HTH, Martin
----- Original Message ----- From: "Martin Mielke" <martin.mielke@thales-is.com> To: "John" <isofroni@cc.uoi.gr> Cc: "SuSE List" <suse-linux-e@suse.com> Sent: Wednesday, March 24, 2004 12:29 PM Subject: Re: [SLE] Vsftp and anonymus login
John wrote:
I run the vsftpd as stand alone because i dont know how to start it
through
the xinetd.
cat /etc/xinetd.d/vsftpd # default: off # description: # The vsftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication. # vsftpd is designed to be secure. service ftp { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/vsftpd # server_args = # log_on_success += DURATION USERID # log_on_failure += USERID # nice = 10 disable = no }
HTH, Martin
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Thanks for you help Martin! ----- Original Message ----- From: "Martin Mielke" <martin.mielke@thales-is.com> To: "Suse" <suse-linux-e@suse.com> Sent: Wednesday, March 24, 2004 2:43 PM Subject: Re: [SLE] Vsftp and anonymus login
John,
RTFM!!!
Look in /usr/share/doc/packages/tcpd for more documentation on this issue. There's a README that explains it all.
Some links you can find doing a simple search on google.com:
http://www.clug.org/presentations/security/tcpwrappers.html
This is for RedHat, but should apply to SuSE as well:
http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/ch-tcpwrap...
Regards, Martin
John wrote:
What does the ALL@MyIP is for in the tcpwraper files (allow & deny)
I mean the ALL only :)
----- Original Message ----- From: "Martin Mielke" <martin.mielke@thales-is.com> To: "Suse" <suse-linux-e@suse.com> Sent: Wednesday, March 24, 2004 2:04 PM Subject: Re: [SLE] Vsftp and anonymus login
Hi,
John wrote:
Allright, and how to use the wrapper for the vsftpd now?
Well, tcpd is tailored by those two files already mentioned:
/etc/hosts.allow
ALL: 1.2.3.4,9.10.11.12 (these should be *real* IP addresses)
/etc/hosts.deny
ALL: ALL: /usr/bin/mailx -s "%d: connection attempt from %c" root@your-domain
Also take a look at the proper man pages for further info.
HTH, Martin
----- Original Message ----- From: "Martin Mielke" <martin.mielke@thales-is.com> To: "John" <isofroni@cc.uoi.gr> Cc: "SuSE List" <suse-linux-e@suse.com> Sent: Wednesday, March 24, 2004 12:29 PM Subject: Re: [SLE] Vsftp and anonymus login
John wrote:
I run the vsftpd as stand alone because i dont know how to start it
through
the xinetd.
cat /etc/xinetd.d/vsftpd # default: off # description: # The vsftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication. # vsftpd is designed to be secure. service ftp { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/vsftpd # server_args = # log_on_success += DURATION USERID # log_on_failure += USERID # nice = 10 disable = no }
HTH, Martin
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Two items..... We'll be converting a site from Redhat to Suse in the next week or two - are there any resources regarding upgrading a Redhat server to Suse 8.2??? Now that I ask this, I realize, it'll probably be easier to blow it away and re-install Lotus Domino and the backup system. I suppose this would be a cleaner installation as well.... Is there any way to obtain Suse 8.2 on CD - the site's bandwidth is limited, and will not allow a FTP install. I already own 9.0, but due to support level required by the commercial software, need to use 8.2. I cannot find it online, nor at any store - ideas on this welcome. Thanks for info...... Jon Johnston Creative Business Solutions IBM, Lotus, Microsoft Consultants http://www.cbsol.com 952-544-1108 Blog: http://bingo.cbsol.com
On Thursday 01 April 2004 18:31, jonlists wrote: snip
Is there any way to obtain Suse 8.2 on CD - the site's bandwidth is limited, and will not allow a FTP install. I already own 9.0, but due to support level required by the commercial software, need to use 8.2. I cannot find it online, nor at any store - ideas on this welcome.
Thanks for info......
Jon Johnston
I'll call you tomorrow AM. Maybe I can help. Stan
Alle 11:28, mercoledì 24 marzo 2004, John ha scritto:
I run the vsftpd as stand alone because i dont know how to start it through the xinetd.
Well, do you know to apply the wrappers for my vsftpd? I want to legitimate the logins and to be honest i only receive requests from a specific ip.
Then, I think you could use some iptables rules like these: iptables -A INPUT -p tcp --dport 21 -s specific-ip -j ACCEPT iptables -A INPUT -p tcp --dport -j DROP Praise
Well, just try these yourself first before getting all worried (login as anon or ftp). I think either you are misunderstanding the log or you have VSFTP setup wrong. I have vsftp running with anon off. It is running under xinetd with pretty much defaults for everything (SuSE 9.0). I did nothing fancy to set it up - no tcpwrappers or anything. Make sure VSFTP is actually the FTP that is running? If you config VSFTP, but SuSE is running another FTP server then of course anon may be active. Here is an extract from my /var/log/vsftp.log: Wed Feb 25 20:43:18 2004 [pid 8516] CONNECT: Client "172.180.168.56" Wed Feb 25 20:43:19 2004 [pid 8515] [anonymous] FAIL LOGIN: Client "172.180.168.56" Thu Feb 26 00:55:39 2004 [pid 9064] CONNECT: Client "61.218.12.93" Thu Feb 26 00:55:39 2004 [pid 9066] CONNECT: Client "61.218.12.93" Thu Feb 26 00:55:39 2004 [pid 9065] [ftp] FAIL LOGIN: Client "61.218.12.93" Thu Feb 26 01:19:02 2004 [pid 9106] CONNECT: Client "80.185.119.46" Thu Feb 26 01:19:03 2004 [pid 9105] [anonymous] FAIL LOGIN: Client "80.185.119.46" Thu Feb 26 01:28:21 2004 [pid 9108] CONNECT: Client "200.210.7.18" Thu Feb 26 19:34:07 2004 [pid 10580] CONNECT: Client "10.20.20.100" Thu Feb 26 19:34:07 2004 [pid 10579] [lynn] OK LOGIN: Client "10.20.20.100" I have 5-10 attempts to log into my system a month from (usually) Chinese ISPs who sublet ranges to other ISP who likely have dynamically assigned them out to others. The last "OK LOGIN" is me from another system on my local subnet. best regards - LynnL John wrote:
I have installed the VSFTP and i have comment all the anonymus section.
However searching the vsftp.log i discovered that some ip tried and logon to my system as USER anonymus with no password and USER ftp with no password.
However, these accounts leads to nowhere with no right, it quite dangerous for me.
Please i want your help to harden my security.
Thanks in advance.
On Wednesday 24 March 2004 18:16, Lynn wrote:
Well, just try these yourself first before getting all worried (login as anon or ftp). I think either you are misunderstanding the log or you have VSFTP setup wrong.
I have vsftp running with anon off. It is running under xinetd with pretty much defaults for everything (SuSE 9.0). I did nothing fancy to set it up - no tcpwrappers or anything. Make sure VSFTP is actually the FTP that is running? If you config VSFTP, but SuSE is running another FTP server then of course anon may be active.
Here is an extract from my /var/log/vsftp.log:
Wed Feb 25 20:43:18 2004 [pid 8516] CONNECT: Client "172.180.168.56" Wed Feb 25 20:43:19 2004 [pid 8515] [anonymous] FAIL LOGIN: Client "172.180.168.56" Thu Feb 26 00:55:39 2004 [pid 9064] CONNECT: Client "61.218.12.93" Thu Feb 26 00:55:39 2004 [pid 9066] CONNECT: Client "61.218.12.93" Thu Feb 26 00:55:39 2004 [pid 9065] [ftp] FAIL LOGIN: Client "61.218.12.93" Thu Feb 26 01:19:02 2004 [pid 9106] CONNECT: Client "80.185.119.46" Thu Feb 26 01:19:03 2004 [pid 9105] [anonymous] FAIL LOGIN: Client "80.185.119.46" Thu Feb 26 01:28:21 2004 [pid 9108] CONNECT: Client "200.210.7.18" Thu Feb 26 19:34:07 2004 [pid 10580] CONNECT: Client "10.20.20.100" Thu Feb 26 19:34:07 2004 [pid 10579] [lynn] OK LOGIN: Client "10.20.20.100"
I have 5-10 attempts to log into my system a month from (usually) Chinese ISPs who sublet ranges to other ISP who likely have dynamically assigned them out to others. The last "OK LOGIN" is me from another system on my local subnet.
Beware though, on the internet anonymous ftp is more secure than ftp with username and password, since regular ftp is in plain text. If you want security and authenticated logins, use sftp
The Wednesday 2004-03-24 at 11:19 +0200, John wrote:
I have installed the VSFTP and i have comment all the anonymus section.
Therefore, you ENABLED anonymus login - you should have read the manual first! | anonymous_enable | Controls whether anonymous logins are permitted or not. | If enabled, both the usernames ftp and anonymous are | recognised as anonymous logins. | | Default: YES Notice: default is "YES", therefore, if you want to disable you have to explicitly write "NO" in the /etc/vsftpd.conf file: anonymous_enable=NO -- Cheers, Carlos Robinson
participants (9)
-
Anders Johansson -
Carlos E. R. -
James Ogley -
John -
jonlists -
Lynn -
Martin Mielke -
praisetazio -
S.R.Glasoe