This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to drop a ftp connection trying login via a disabled usernames

Hello All,

I am a "newbie" to the Astaro system, figure this is a good location to start the thread. I need some help regarding an ftp issue.

The goal of the task is to be able to drop any connection trying to login to the ftp server via brut force username methodologies lets say after 5 tries.

Below is a typical example of the traffic that I am seeing:

0714 00:36:09 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER teo
0714 00:36:09 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER teo
0714 00:36:09 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER teo
0714 00:36:09 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER teo
0714 00:36:10 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER teo
0714 00:36:10 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER teo
0714 00:36:10 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER stephen
0714 00:36:10 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER stephen
0714 00:36:10 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER stephen
0714 00:36:10 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER stephen
0714 00:36:11 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER stephen
0714 00:36:11 (00000850) {dns computer.domain.com}D(0) 83.16.13.234 adrian USER Stephen

Or they try to connect via "admin" or "administrator" username and then random passwords.

I any suggestions will greatly be appreciated.

Regards,
Daniel

This thread was automatically locked due to age.

Parents

0 BarryG over 19 years ago

You should be able to create a Snort rule to look for administrator ftp logins (if there isn't one already).

The other part would be much harder.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 19 years ago in reply to BarryG

Doing this with the IPS will be impossible.. too many possibilities. We've dealt with the problem by just using a FTP package that supports automatic blacklisting of those who attempt to brute force their way in.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BrucekConvergent over 19 years ago in reply to BarryG

Doing this with the IPS will be impossible.. too many possibilities. We've dealt with the problem by just using a FTP package that supports automatic blacklisting of those who attempt to brute force their way in.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 00spool over 19 years ago in reply to BrucekConvergent

I have the same problem... I run about 20 web servers, each with FTP servers and I've been finding in the logs that people are trying to brute force their way in by using the "Administrator" or "admin" usernames. There are thousands of entries per hour of failed login attempts.

I'm using Windows 2000 Server and I've renamed the Administrator account so they'll never get in, nonetheless, it's taxing the resources of the servers and it's wasted bandwidth.

Windows FTP server is very primitive and there's no real way to stop it on that end. I've looked for a way to stop it in the Astaro Firewall IPS... I'm surprised there's no functionality for this already in there, I'd think this would be a common problem...
Cancel
Vote Up 0 Vote Down

Cancel
0 Mitch Miller over 19 years ago in reply to 00spool

there is a nice 3rd party windows ftp server. bulletproof ftp. runs on windows and supports unix commands like chmod. it also has auto blacklists, bandwidth throttleing etc. I have used it for nearly a decade. oh it also does not use local machine accounts.

http://www.bpftp.com/
Cancel
Vote Up 0 Vote Down

Cancel