FTP security

[Pulsar]

Ok. So I have FTP server running and within 1 day of putting it up some jackass from Japan started pounding away at it with a password generator "Administrator" and xxxxxxxx....

Is it possible to mask the FTP so people can't find it:? Of course, the Administrator account doesn't exist - that was the first thing that I changed.

Funny part is the attacks are originating from a Japanese government office =/. Obviously they've had their system broken into.

 

[TC10284]

Not that I know of. They are either port scanning your IP, finding that you have ports 20 and 21 open, then using a bot to generate passwords for administrator. I don't know if there is really any way you can mask ports 20 and 21 from showing up in a port scan.
You could look into an sftp program that uses SSH, but that will mainly help keep someone from capturing the username/password that is sent from a legit user (in cleartext) from being captured by a packet capturing util.

I get these type of login requests on my home FTP server...and administrator doesn't even exist. Usually I either ban the IP or just ignore it because they're not going to get in as admin anyway...

 

[nweaver]

you shouldn't use those 2 words next to each other.


you can change the port to nonstandard, but that makes it a pain in the butt for non geek users to use. sftp is a MUCH better option, but it's a bit more painful to run on windows then on *nix (which pretty much has it out of box for almost any distro).

 

[nweaver]

oh, and ask long as you "secure" (as much as is reasonably possible with an antique, insecure design as FTP) your server, then just sit back and ignore them. I get between 200-2K login attempts per day on my ftp server.

 

[p0lar]

When I must use FTP for services, I use OpenBSD with a few special PF rules that limit concurrent connections as well as connections per minute. Any abusers are dumped into a <table> and not permitted to connect to the FTP service anymore. Unless the skiddie's script slows their TCP connection rate down to 3/minute, it will chunk it into a black hole every time. Trying to brute force passwords at a rate of 3/minute is excruciatingly painful and generally not worth the effort unless the skiddie has you marked as a specific target.

It isn't ideal, but it does work -- I have a dedicated OpenBSD server on VMWare for public-facing IOS upgrades. This has kept it clean for quite some time now. Let me know if you want the specific PF rule that enables this operation.

P.S. That black hole table is permanently maintained by dumping it as a list to a file on the drive in hourly increments. When the server is rebooted or PF is reloaded, it re-reads that file such that no previous blackholed IP is re-opened. As well, a client DOS scenario is exceptionally unlikely unless your ISP or an ISP hosting the ASN of a given client is compromised and able to complete the three-way TCP handshake.

 

[Pulsar]

Hrm. Well, I banned his IP address. Unfortunately I don't see an option on the filezilla server to allow for auto-banning of IP's. Oh well.

 

[RebateMonger]

Originally posted by: nweaver
oh, and ask long as you "secure" (as much as is reasonably possible with an antique, insecure design as FTP) your server, then just sit back and ignore them. I get between 200-2K login attempts per day on my ftp server.

I host some web sites on one of my Windows Servers, and reading the www logs is always scary. Lots of 'bots hit the sites with various scripts, hoping for command line access.

One of my SBS Servers reported this morning of a few hundred attempts to log in using a couple of hundred common account names (Jennifer, Sam, .....). Maybe using "Password" as the password for each one?