Here is what I saw checking my daemon.log:
www in.ftpd[7703]: connect from AC8A7079.ipt.aol.com

This is not me, since my web site on my webserver is still in developpment, and I never use Aol.

Does this means someone get in my FTP server ??

It seems only 1 account is able to login in FTP: me, the only user on my server (and i'm not root).

Si why do I get this ? I tried to logine as an anonymous user but it didn't worked, so I really don't see why I have this in my log.

Donov

AOL script kiddie?

?
Does it means they get access or just they probed ?

Donov

For fsck sake, turn off FTP if you're not using it!

And get a firewall! http://muse.linuxmafia.org - download gShield.

(Sorry if I got carried away, but everything I've seen on security for Linux says turn off all services you don't need.)

OK, now that I've regained my composure, you should make sure ftp is running through TCP wrappers. You have a file /etc/inetd.conf. Edit this (you'll need to be root for this) file and look for a line containing 'ftp'. It should look like this:

ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -l -i -a

If there's no '/usr/sbin/tcpd' after the word 'root', add it. Now, save this file and edit hosts.deny. This file should have one line: 'ALL:ALL'. Now edit hosts.allow. This file should have at least one line 'ALL:127.0.0.1', which will allow you to access services from your machine. If you have a home network, add a line 'ALL:192.168.1.' (change this according to your home subnet). Now the kiddies won't be able to get in unless they spoof their IP address, and if they do, gShield will stop them.

All this assumes, of course, that you haven't already been cracked. If you're paranoid, then you might want to reinstall. If you're not, I'm sorry I brought up the matter.


------------------
Democracy: Two wolves and a lamb deciding what to have for dinner.
Constitutional Republic: Same as above, but lamb's not on the menu (unless the wolves are really hungry).

Originally posted by Donovan:
?
Does it means they get access or just they probed ?

Donov

They definitely got access, the question is whether or not they got root. If they got root, they're pretty lame not to have wiped the log.

If you really want to use FTP, I used to have it setup so it chrooted anonymous users and they couldn't see anything except /home/ftpd. I've reinstalled since then, and I forgot what I did. If you're interested, I'll try to retrace my steps and post something.

If there's no '/usr/sbin/tcpd' after the word 'root', add it. Now, save this file and edit hosts.deny. This file should have one line: 'ALL:ALL'. Now edit hosts.allow. This file should have at least one line 'ALL:127.0.0.1', which will allow you to access services from your machine. If you have a home network, add a line 'ALL:192.168.1.' (change this according to your home subnet). Now the kiddies won't be able to get in unless they spoof their IP address, and if they do, gShield will stop them.

Well thanks for your answer.
The fact is that the computer is a web server. So what exactly should I put in the allow file ? I really must not make a mistake there !

Thanks again,
Donov

I would say don't put anything in there until you're ready to go live. When you are, add a line like this 'ftpd:ALL'. You'll also need to change your firewall configuration file to allow ftp in. Of course, unless you want to allow users to download files from your site, you'll probably want to leave ftp disabled.



------------------
Democracy: Two wolves and a lamb deciding what to have for dinner.
Constitutional Republic: Same as above, but lamb's not on the menu (unless the wolves are really hungry).

Ftp disabled would be good, but how am I supposed to do my daily work and upload /download files ? (i'm at home and remotely administer the server) ?

Thanks,
Donov

the FTP daemon just allows a user to connect to your box remotely using the FTP protocol (your box is acting like an FTP server) If you need this capability, get yourself a damn firewall script, because FTP is dangerous to have open all the time.(and telnet as well) If you don't need to remotely connect to your box, TURN IT OFF!

Originally posted by Donovan:
Ftp disabled would be good, but how am I supposed to do my daily work and upload /download files ? (i'm at home and remotely administer the server) ?

Thanks,
Donov

You can add a line to your hosts.allow file 'ALL:192.168.1.' (Replace the 192.168.1 with whatever your internal network is.) This will allow use of your services from your home computers.

By all means, do investigate SSH. We don't know that it's perfect, but we do know that it is loooong way better than raw ftp and telnet. In this way, you can cut OFF telnet and ftp, completely. It does not carry passwords "in the open", ever. You are going to need both telnet and ftp abilities to remote admin the Apache box, and both are provided in SSH.
Ray


------------------
ray@raymondjones.net
HTTP://www.raymondjones.net

Well I use SSH already and have telnet disabled, but I find it very inconnfortable to upload files and brows directories with it. I don't even knew it was possible to upload files with ssh !!

Anyway, I finally did it: I denied all access except for my IP http://www.linuxnewbie.org/ubb/smile.gif

I fell much better now !

Donov

yes, try man scp and man scp2. That's Secure CoPy. You also have sftp, self explained.

------------------
ray@raymondjones.net
HTTP://www.raymondjones.net