Bug 241008 - Too many login attempts allowed by vsftpd
Summary: Too many login attempts allowed by vsftpd
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: vsftpd (Show other bugs)
(Show other bugs)
Version: 4.5
Hardware: All Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Maros Barabas
QA Contact:
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-23 16:32 UTC by John Robinson
Modified: 2007-11-17 01:14 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-28 08:12:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
My vsftpd config (4.10 KB, text/plain)
2007-05-23 23:22 UTC, John Robinson 		no flags Details
My pam.d/vsftpd (452 bytes, text/plain)
2007-05-23 23:25 UTC, John Robinson 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Description John Robinson 2007-05-23 16:32:55 UTC 
Description of problem:
vsftpd doesn't kill the session after too many login attempts

Version-Release number of selected component (if applicable):
2.0.1-5.EL4.5

How reproducible:
100%

Steps to Reproduce:
1.Use rubbish login details 10, 100, 1e81 times
2.
3.
  
Actual results:
It doesn't kick you off

Expected results:
It should kick you off

Additional info:
Logwatch tells me:
 (148.243.223.220): john - 2432 Time(s)
 (148.243.223.220): jeff - 364 Time(s)
 (148.243.223.220): amanda - 2432 Time(s)
I have a firewall config which limits repeated connections from the same IP, so
the above couldn't happen if it was caused by multiple connections.

I note that vsftpd 2.0.5 has a change to "Kick session after a few login fails.
Allows IP blocking solutions to be more immediately effective." -
ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.5/Changelog - so I wonder
if this could be added into an update to the RHEL release.
Comment 1 Maros Barabas 2007-05-23 21:40:15 UTC 
Attach your vsftpd configuration please. Thanks
Comment 2 John Robinson 2007-05-23 23:22:58 UTC 
Created attachment 155306 [details]
My vsftpd config

Not too far from stock, I think
Comment 3 John Robinson 2007-05-23 23:25:59 UTC 
Created attachment 155307 [details]
My pam.d/vsftpd

Edited slightly, so users with valid shells CAN'T log in.
Comment 4 Maros Barabas 2007-05-24 08:14:04 UTC 
Please add "max_login_fails" directive to your vsftpd configuration specifying
the number of login failures before the session is killed.
Comment 5 John Robinson 2007-05-24 09:53:25 UTC 
Doing so causes my vsftpd to fail to start, apparently logging nothing at all. I
am using vsftpd-2.0.1 in EL4.
Comment 6 Maros Barabas 2007-05-28 08:12:50 UTC 
I'm sorry. This feature has been added up to 2.0.4 release. If you want to
update vsftpd for RHEL 4 to current version (2.0.5), please open new appropriate
bug. Thanks
Note You need to log in before you can comment on or make changes to this bug.