try setting up a /etc/hosts.allow or /etc/hosts.deny file which will deny
IPs or rarp/doamins to be allowed to connect even if they were to have a
valid username/password.

The man pages have good info on how to setup these files...unfortunately I'm
on holiday and have intentionally disallowed myself from my systems :-) so I
really don't have any good examples.

john

----- Original Message -----
From: "James Sharp" <jsharp@psychoses.org>
To: "Mike Cheponis" <mac@Wireless.Com>
Cc: <netbsd-help@netbsd.org>; <current-users@netbsd.org>
Sent: Tuesday, June 05, 2001 10:06 PM
Subject: Re: Crackers getting into FTPD ?


> > Apr 19 13:45:32 G ftpd[5190]: connection from 202.144.164.2 to
G.Culver.Net
> > Apr 20 17:13:29 G ftpd[6222]: connection from
h24-78-185-192.vn.shawcable.net to G.Culver.Net
> > Apr 22 11:03:35 G ftpd[7877]: connection from
cm-12-39-79-137.bullhead.npg.ispchannel.com to G.Culver.Net
> > Apr 22 13:22:12 G ftpd[7926]: connection from
c73274-a.frmt1.sfba.home.com to G.Culver.Net
> > Apr 23 01:35:08 G ftpd[8185]: connection from pD900AF7B.dip.t-dialin.net
to G.Culver.Net
> > Apr 29 21:06:29 G ftpd[14096]: connection from
gosax1-194.dialup.optusnet.com.au to G.Culver.Net
> > May  3 20:26:44 G ftpd[1070]: connection from pool21.primacom.net to
G.Culver.Net
> > May  4 21:18:49 G ftpd[1955]: connection from pD90309AC.dip.t-dialin.net
to G.Culver.Net
> > May  9 04:59:17 G ftpd[1798]: getpeername (ftpd): Socket is not
connected
> > May  9 19:41:36 G ftpd[2757]: connection from
cc382751-b.narltn1.nj.home.com to G.Culver.Net
> > May 18 08:03:16 G ftpd[18928]: connection from
HSE-Toronto-ppp129951.sympatico.ca to G.Culver.Net
> >
> >
> > How are these crackers getting access?  I have exactly ONE account on
these
> > machines, with a pretty darn non-obvious password.
> >
> > This is 1.5T
> >
>
> That's just them connecting...they're not actually authenticating and
> logging in.  They're probing & poking to see if they can get in.
>
>