Security Incidents: Re: ano () ano com ftpd dip.t-dialin.net

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: ano () ano com ftpd dip.t-dialin.net

From: TOK <skybound () inbox lv>
Date: 08 Nov 2002 07:40:09 +0100

On Don, 2002-11-07 at 17:52, Dave Laird wrote:

Good morning, everyone...

...

Another possible alternative, at least if you are using Linux running IPTables
is to move your FTP server *inside* the firewall, to an internal IP of your
choosing and severely constrain access to it using a well-chosen IPTables
script. Of course, if you are as road-weary as I am of the games that
dip.t-dialin.net users have attempted in the past, simply firewall them
entirely by their IP's. It's crude, it's rude, and perhaps not even good
policy, but it certain cuts down the volume of spurious traffic of all kinds.
[Standard Disclaimer] "Of course, I could be *WRONG* about anything I say,
but then I learned everything I know about networking from a pragmatic
wizard." 

Dave
-- 
Dave Laird (dlaird () kharma net)
The Used Kharma Lot

did you know that (practically) all Telekom users don't have a static
IP? dialin and ADSL line IPs are chosen from quite large pools, during
the last week my box got IPs within 80.134/16, 217.226/16 and 217.84/16.
lines sold to companies or high end DSL may include a static IP, but
anyone doing ~funny~ stuff through one of these would be worse than a
script kid.

so by blocking single IPs, you'll block anyone (but no one specific) and
only dropping all packets from all Telekom subnets (to that service)
will have the desired effect.
if you're advising to do such, to get rid of some warez guys probing for
anon ftp, i'd like to comment, that imho you are breaking a butterfly on
a wheel. 

concerning the username (other posts), google shows:
a) ano maybe a valid email (www.ano.com exists)
b) can be found in ftpd logs all over the world
c) besides it is quicker to type than anonymous and easily recognizable
   as valid email == passwd
probably no conspiracy here ;-(
                         
best regards,
tok


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

ano () ano com ftpd dip.t-dialin.net Owen McCusker (Nov 06)
- Re: ano () ano com ftpd dip.t-dialin.net Ralf G. R. Bergs (Nov 07)
  - Re: ano () ano com ftpd dip.t-dialin.net Rainer Duffner (Nov 07)
  - Re: ano () ano com ftpd dip.t-dialin.net Dave Laird (Nov 07)
    - Re: ano () ano com ftpd dip.t-dialin.net TOK (Nov 08)
    - RE: ano () ano com ftpd dip.t-dialin.net David Gillett (Nov 08)
- Re: ano () ano com ftpd dip.t-dialin.net Skip Carter (Nov 07)
- Re: ano () ano com ftpd dip.t-dialin.net Moo (Nov 07)
  - RE: ano () ano com ftpd dip.t-dialin.net Bojan Zdrnja (Nov 09)
- RE: ano () ano com ftpd dip.t-dialin.net Rick Darsey (Nov 07)