Centos 5 vsftpd /var/log/secure question
Hi
This is going to sound REALLY dumb but here goes. I have just updated my server to Centos 5. According to a swift "yum list" I am running version 2.0.5-10.el5 of vsftpd.i386 My 'logwatch' shows repeated failed attemots to log in to my server's vsftpd daemon as 'root', 'admin' and 'administrator' from a machine identified as 'astroplasma.Berkeley.Edu' Scrutiny of /var/log/secure shows multiple entries similar to this "Sep 4 05:40:57 velvetwood vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=astroplasma.Berkeley.EDU" (There are hundreds like this) My question is this ... Is there really a hacker inside the Berkeley.Edu domain doing his best to climb into my server in violation of the UK Computer Misuse Act 1990 or can the /var/log/secure entries be 'spoofed' / 'forged' in the same way that email headers can be. Is the /var/log/secure entry created from some sort of reverse dns lookup of is it just the text from their "username" prompt You see, if someone inside Berkeley.EDU really *IS* trying to grope my server's bits them I feel the need to have him/her spanked, or at least have it pointed out to them that such behaviour, if perpetrated in the UK, gets you prison time. However I don't want to look a damn fool emailing the abuse department of what is arguably one of the serious computer centres of the world if what's actually happenned is some two-bit romanian or brazilian has tried to climb in using their domain name in his repose to my ftp 'login' prompt ! Any pointers to where I should be looking for answers gratefully received (!) |
I have been looking into a similar issue with fail2ban and banning failed vsftpd entries. Basically either somebody has access to their reverse DNS records and spoofed that they are from Berkeley, someone is using a compromised Berkeley computer as a launch point, or someone in Berkeley is actually trying to get into your system. Most likely it's #2, and I would report it to their abuse department (if there was a security breach, they will be happy you did). I also advise you to look into Fail2ban (I have it running on CentOS 5 as well). It does work, but occasionally somebody can screw with their reverse DNS records and you will be unable to ban them. Make sure you disable root logins in vsftpd also.
|
Thanks TBKDan I'll send that email right now !
|
I take back the second-to-last sentence in my first post; it turns out that there was some issues with 0.8.0 of Fail2ban's regex, so now 0.8.1 bans everything :) Highly recommended, and pretty easy to setup. Simplest instructions: download it, extract it, run the install script, change the "enabled" to true in jail.conf, and then fail2ban-client start :) You should have some way to do that every bootup though (rc.local works fine).
|
All times are GMT -5. The time now is 06:35 PM. |