[ntp:questions] Re: Taming the pinball machine

David L. Mills mills at udel.edu
Tue Nov 11 19:22:13 UTC 2003


Roy,

Verily you fetched up on the hosts.deny wrappers. As I said in my
previous, server ftp.udel.edu has 14,000 lines in that file, probably
accounting for 3000-5000 blocked domains. What this means is that
sometime in the recent past some perp sharing your domain name did a
nasty and despicable attack on ftp.udel.edu. This would have been a
persistent attack, like a serious password cracker or denial clogger
that popped up in the security logs. The threshold is rather high, so
the attack would have to be logged and prominently displayed. As for
you, fate sharing in domain attbi.com is inescapable. The sysadmin would
be happy to punch a hole in that domain for you, assuming you have a
fixed host address.

I just had a chat with our security maven, who gave one example of such
despicable attacks: ten ssh password cracking attempts in a row. You
might argue this a rather low parannoy threshold, but there it is. The
hosts.deny file is purged at the new year epoch and this year has grown
to 14,000 lines. The maven further confirmed there is no blacklist for
the web www.eecis.udel.edu or www.ntp.org. Yes, and we all know a
determined hacker spoofing IP addresses of known ISPs can easily cause a
denial of service attack by filling up hosts.deny with bogus blacklists.
There is every reason to suggest this has already happened.

Dave

Roy wrote:
> 
> "David L. Mills" <mills at udel.edu> wrote in message news:<3FAA852A.A621A420 at udel.edu>...
> > Roy,
> >
> > Can you clarify the login problem? Login as anonymous works from here
> > (campus).
> 
> Hi Dave,
> 
> I get much the same message that Barry mentions.  Access denied
> because login failed.  However, I can find no indication in my
> firewall logs that there is any unsuccessful attempt to connect to my
> system.  Of course, this system can connect to other ftp servers just
> fine.  It may be an interesting coincidence that my connection also
> has a domain alias through dyndns.org...  Here's the terminal log:
> 
> 7> ftp
> ftp> open ftp.udel.edu
> Connected to huey.udel.edu.
> 
> Name (ftp.udel.edu:me2): ftp
> X.ne.client2.attbi.com, access denied into UDEL EECIS, contact
> staff at eecis.udel.edu for reason
> ftp: Login failed.
> 421 Service not available, remote server has closed connection.
> ftp> bye
> 8> ftp ftp.udel.edu
> Connected to huey.udel.edu.
> 
> Name (ftp.udel.edu:me2): anonymous
> X.ne.client2.attbi.com, access denied into UDEL EECIS, contact
> staff at eecis.udel.edu for reason
> ftp: Login failed.
> 421 Service not available, remote server has closed connection.
> ftp>
> 
> > A quicker way is with a browser to
> > ftp://ftp.udel.edu/pub/ntp/software/.
> >
> 
> This seems crazy, but Microsoft interet explorer returns a "Cannot
> find server" error with this url.  Even replacing the DNS name with
> the direct IP address gives the same error.  As always, thanks for
> your assistance.
> 
> Have a great time,
> 
> 
> roy
> --
> The suespammers.org mail server is located in California.  Please do
> not send unsolicited bulk e-mail or unsolicited commercial e-mail to
> my suespammers.org address or any of my other addresses.  These are my
> opinions, not necessarily my employer's.



More information about the questions mailing list