HomeForumsBlockHosts

Using BlockHosts with wu-ftpd

Fri, 2006–Apr–28

BlockHosts is working well for blocking sshd attacks, but now the script kiddies are starting to attack wu-ftpd, and I'm getting log entries in auth.log that look like this:

Apr 27 21:36:36 myserver wu-ftpd[20011]: (pam_unix) check pass; user unknown
Apr 27 21:36:36 myserver wu-ftpd[20011]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.39.131.40

Is it possible to configure BlockHosts to block these?

‹ Some questions about blockhosts Using Blockhosts for GLFPTD and for Apache ›
Fri, 2006-04-28 21:44 — ac

more examples?

Is there any other line printed in the /var/log/secure or other files? The example log line given above is actally from pam_unix, there may be other log lines that come directly from wu-ftpd, that may be better suited for use with blockhosts.

Given just the log line above, here's the match that will trap that line:

"WUFTPD-Fail": re.compile(r"""wu-ftpd\[\d+\]: \(pam_unix\) .* rhost=(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""),

Note that the code snippet above is a single line, and requires proper python indentation in blockhosts.cfg or blockhosts.py

Tue, 2006-05-02 11:32 — Homer (not verified)

RE: more examples?

Sorry, it took me so long to get back with you. I was busy over the weekend and didn't have time to get on the computer. I use Debian, so it is /var/log/auth.log instead. I did not find any other lines in there related to the wu-ftpd login failures. That's not to say that there might not be other types of failures, but that's the only one that I'm seeing so far.

I just grepped through all the log files, and there are also connect messages in daemon.log, but they don't show any failures. Nothing else in any of the other log files.

Thanks for the regexp. I didn't know Python well enough to figure it out on my own. I'll try it and let you know if it works for me.