Slicehost customers
** UPDATE ** ok ok so maybe i over reacted and blocking all slicehost customers isn’t the way to go at all…Sowwwee 
Stop being a prick and trying to connect to my server. Yes i have reported you to slicehost, if you don’t stop then i’ll just block all of slicehost it’s not a problem for me
Sep 04 14:39:53 xen-web-ubuntu proftpd[19634] localhost.localdomain (209-20-87-244.slicehost.net[209.20.87.244]): no such user ‘Administrator’
Sep 04 14:39:53 xen-web-ubuntu proftpd[19634] localhost.localdomain (209-20-87-244.slicehost.net[209.20.87.244]): USER Administrator: no such user found from 209-20-87-244.slicehost.net [209.20.87.244] to 10.10.10.220:21
Sep 04 14:39:53 xen-web-ubuntu proftpd[19634] localhost.localdomain (209-20-87-244.slicehost.net[209.20.87.244]): Maximum login attempts (2) exceeded, connection refused
Sep 04 14:39:53 xen-web-ubuntu proftpd[19634] localhost.localdomain (209-20-87-244.slicehost.net[209.20.87.244]): FTP session closed.
Sep 04 14:39:53 xen-web-ubuntu proftpd[19635] localhost.localdomain (209-20-87-244.slicehost.net[209.20.87.244]): FTP session opened.
Sep 04 14:39:53 xen-web-ubuntu proftpd[19635] localhost.localdomain (209-20-87-244.slicehost.net[209.20.87.244]): no such user ‘Administrator’
Sep 04 14:39:53 xen-web-ubuntu proftpd[19635] localhost.localdomain (209-20-87-244.slicehost.net[209.20.87.244]): USER Administrator: no such user found from 209-20-87-244.slicehost.net [209.20.87.244] to 10.10.10.220:21
As a slicehost customer who would never attempt to brute force anyone elses machine, I have to say I take offense! I know you were just being funny, but that type of thinking has to go… for more reasons than one.
Skirting around the obvious moral and philosophical issues, let’s merely discuss the technical ones. Blocking all of slicehost doesn’t actually fix the problem. The problem is you don’t want people breaking into your machine,. No one likes people attempting to do just that, but… you do run a public ftp server.
Here’s what you do:
Run a good firewall. If you use shorewall you can trivially add a rule that limits the number of connected attempts (by port / service) per time period. I limit people to 3 connection attempts and then block them for 15 minutes. Imagine trying to brute force that, it’d take forever! People will just move on to the next machine. You can even specify a port that you can connect to to reset the timed block if you accidentally lock yourself out.
Try to remember that security through obscurity is not security at all. Blocking people and using a good firewall help, but they don’t solve the problem. You need to feel confident that if someone gets in to your machine it’s not going to be that big of a deal:
- Ensure root cannot ssh in
- Make sure all accounts except the bare minimum have shell rights
- Make sure all accounts except the bare minimum have sudo access
- Use STRONG passwords on all shell and sudo enabled accounts
- Run nightly rootkit and system integrity scanners (ie, rkhunter, aide, etc)
There’s tons more you can do too. Basically, complaining about the problem to all of us, and the slicehost admins, doesn’t fix the problem. Do what you can so that when you see people trying to break in (which IS going to happen no matter what), you don’t feel you need to worry about it!
I also don’t understand why this was posted to UbuntuWeblogs, since it has NOTHING to do with Ubuntu.
I believe I made it clear that UbuntuWeblogs shouldn’t be used to spread messages, which is the exact intention of this post.
i just happened to tick all the boxes, which included the ubuntu catagory….i’ve removed it from that catagory….