Testers wanted for krb5 / gssftpd graylisting changes
Philip Prindeville
philipp_subx at redfish-solutions.com
Sat Jun 24 18:57:21 UTC 2006
Hi.
I got tired of people running FTP password attacks on my machine from
China, Korea, Thailand, etc. so I came up with the following change: the
FTP server remembers when a single session (connection) that had 3 failed
logins, and graylists that address for 60 seconds (configurable timeout,
actually). If the user tries to reconnect again before that that
timeout expires,
the timeout gets restarted as another 120 seconds, etc. making the timeout
longer and longer until it hits some maximum (such as 2 weeks).
This at a minimum makes it a significantly more time-consuming attack on
a machine (without it, I've seen 30 connections coming into my server
trying 90 passwords per second)...
The changes, since they use an external database, also handles having
multiple simultaneous connections coming in parallel... and quickly
scales up the graylist interval.
I've attached the diffs to apply to the .spec file and in the to put into
the SOURCES directory. I.e.
* do an "rpm -i" of the .src RPM
* apply the diffs in the SPECS directory
* save the .patch file into the SOURCES directory
* do a normal build with "rpmbuild -bb"
* do an "rpm -U" of the new RPM binaries to install the patched package
That's it.
Please let me know what your experiences are.
Thanks,
-Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5.spec.patch
Type: text/x-patch
Size: 1753 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060624/4c0ef395/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gssftpd-graylist-db4.patch
Type: text/x-patch
Size: 10099 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060624/4c0ef395/attachment-0003.bin>
More information about the fedora-list
mailing list