Hi

This is going to sound REALLY dumb but here goes.

I have just updated my server to Centos 5. According to a swift "yum list" I am running version 2.0.5-10.el5 of vsftpd.i386

My 'logwatch' shows repeated failed attemots to log in to my server's vsftpd daemon as 'root', 'admin' and 'administrator' from a machine identified as 'astroplasma.Berkeley.Edu'

Scrutiny of /var/log/secure shows multiple entries similar to this

"Sep 4 05:40:57 velvetwood vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=astroplasma.Berkeley.EDU"

(There are hundreds like this)

My question is this ...

Is there really a hacker inside the Berkeley.Edu domain doing his best to climb into my server in violation of the UK Computer Misuse Act 1990 or can the /var/log/secure entries be 'spoofed' / 'forged' in the same way that email headers can be. Is the /var/log/secure entry created from some sort of reverse dns lookup of is it just the text from their "username" prompt

You see, if someone inside Berkeley.EDU really *IS* trying to grope my server's bits them I feel the need to have him/her spanked, or at least have it pointed out to them that such behaviour, if perpetrated in the UK, gets you prison time.

However I don't want to look a damn fool emailing the abuse department of what is arguably one of the serious computer centres of the world if what's actually happenned is some two-bit romanian or brazilian has tried to climb in using their domain name in his repose to my ftp 'login' prompt !

Any pointers to where I should be looking for answers gratefully received (!)

I have been looking into a similar issue with fail2ban and banning failed vsftpd entries. Basically either somebody has access to their reverse DNS records and spoofed that they are from Berkeley, someone is using a compromised Berkeley computer as a launch point, or someone in Berkeley is actually trying to get into your system. Most likely it's #2, and I would report it to their abuse department (if there was a security breach, they will be happy you did). I also advise you to look into Fail2ban (I have it running on CentOS 5 as well). It does work, but occasionally somebody can screw with their reverse DNS records and you will be unable to ban them. Make sure you disable root logins in vsftpd also.

Thanks TBKDan I'll send that email right now !

I take back the second-to-last sentence in my first post; it turns out that there was some issues with 0.8.0 of Fail2ban's regex, so now 0.8.1 bans everything Highly recommended, and pretty easy to setup. Simplest instructions: download it, extract it, run the install script, change the "enabled" to true in jail.conf, and then fail2ban-client start You should have some way to do that every bootup though (rc.local works fine).