[BlueOnyx:16372] Re: FTP knock on problems

[George F. Nemeyer]

On Sat, 1 Nov 2014, Michael Stauber wrote:

> That is actually spot on. I played the entire day with a new build of
> ProFTPd to tackle the pending issues.

Thanks for being tireless in pounding on these FTP issues!

I'm curious about your views on another aspect of ProFTPd.

Nasty port scanners/dictionary attackers often hit SSH and, using
denyhosts, those quickly land in hosts.deny and we brand the IP entry for
ALL: services.

A long time ago, on a non-BX machine, I fought trying to get ProFTPd to
work under xinetd so that it would be protected by /etc/hosts.deny.  But
now, ProFTPd seems to have it's own 'ban engine' ability (which according
to some BX folks posting here may need to be shut off).  It apparently
blocks further retries after 'too many' failed attempts.  But I'm not sure
if it makes that information available to other services by any mechanism
or it just protects itself, or if it removes blocks by some criteria.

My feeling is that if somebody's abusively poking one service, I don't
want them even TOUCHING any other service...EVER!  So hosts.deny seems the
logical place to protect everything else once there's a attack on any one
service.

However, if the ProFTP ban engine is somehow especially useful, it would
be nice to integrate it into the machine's overall protection mechanisms.
On the other hand, if the ban engine only affects ProFTPd, and
*especially* if it causes some conflict with what's in hosts.deny, it
would likely be better to shut it off.

In your efforts, have you investigated the ProFTP ban engine, and what's
your take on it?