Graylisting clients w/ gss (krb5)'s ftpd

Philip Prindeville philipp_subx at redfish-solutions.com
Thu Jun 1 22:30:23 UTC 2006


I'm using the FTP server that comes with kerberos 5 (in krb5-workstation),
and noticed that by default everyone with a password can log in *except* 
those
in /etc/ftpusers (which by default doesn't exist... but probably should, 
even if it
only includes "root" by default).

Anyway, I noticed that this server was susceptible to getting FTP password
attacks from East Asia..  and I decided this was pretty annoying.  So I
came up with a graylisting mechanism that applies exponential backoff (up
to a maximum) for someone logging in with bad user names or passwords.

It's not enabled by default, but if you use the -g, -G, and -S arguments 
then
it gets turned on (actually, you can get by with just the -g argument, 
and the
rest will default to reasonable values).

We use it here as (in /etc/xinetd.d/gssftp):

server_args     = -l -l -g 60 -G 604800 -S 2

which means:

the first time someone logs in with 3 bad connection attempts in a row,
graylist them for 60 seconds.

If the user logs in correctly, his future graylisting time is forgotten.

If the user connects after his graylisting time expires, the connection
is permitted.  Otherwise, the user is spanked and his graylisting time
increased by the scaling factor (in this case doubling) until it reaches
the maximum graylist amount (here it's 7 days), starting from that
instant.

While this doesn't make a site significantly more protected, it does
hugely increase the amount of time (and simultaneous resources) that
someone trying to randomly break into sites would have to take...
making it more likely that they would be detected... then reported,
investigated, prosecuted... and hung... before doing any substantial
damage.

I've suggested to the Kerberos team at MIT that they include these
changes upstream... (minus the man page updates, which I only
just finished).

If anyone wants to try these out or send me comments on the patches,
I'd appreciate it.

Thanks,

-Philip



-------------- next part --------------
A non-text attachment was scrubbed...
Name: gssftpd-graylist.patch
Type: text/x-patch
Size: 9042 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20060601/6475ba87/attachment-0002.bin 


More information about the devel mailing list