RE: Massive failed FTP attempts.

["Dan Denton" <ddenton () remitpro com>]

If it hasn't been mentioned yet, denyhosts may be a viable solution. It's
normally used to secure SSH daemons against brute force attacks, but we've
configured it to secure ftp servers as well.

www.denyhosts.net

They have a mailing list on sourceforge that was invaluable for us in
getting our installation up and running.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of whip () netspace net au
Sent: Sunday, September 09, 2007 7:35 PM
To: 'Paul Conaghan'; 'Michael Nielson'; security-basics () securityfocus com
Subject: RE: Massive failed FTP attempts.

Changing the default port really isn't going to help the situation. Scanners
such as nmap can do a service scan, which will determine what exactly is
running on each open port, even if they are non standard.

All you can really do is keep your installation up to date, use strong
passwords, and don't create unnecessary accounts.


Scott

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Paul Conaghan
Sent: Wednesday, 5 September 2007 6:18 AM
To: Michael Nielson; security-basics () securityfocus com
Subject: RE: Massive failed FTP attempts.

What port are you running the FTP on? Port 21? First thing to do would
be to choose another port for it. 21 is constantly scanned for open
FTP's and brute force attempts.

It could also be that they are attempting to run this exploit that was
released public a little while ago for ProFTPD

http://www.milw0rm.com/exploits/4312

Appears it has a Brute Force section also.

If you make it harder for them to find the ProFTPd installation though,
you will get less hits. Quickest way to do this is to use a random port.

Cheers
Paul


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Michael Nielson
Sent: Saturday, 1 September 2007 3:33 p.m.
To: security-basics () securityfocus com
Subject: Massive failed FTP attempts.

I run several small LAMP virtual servers, I've noticed a large amount of

failed FTP login attempts, these all attempt to login with common FTP 
usernames like Administrator, or webmaster (the FTP server is proFTPd 
version 1.2.10).  The attacker will try from one IP address maybe 30 or 
40 times and then moving to a new IP address.  I have several questions,

first what are they trying to do? Crack my password? Or exploit a bug 
with proftpd?  I've been more diligent about choosing a difficult to 
break password.  More important what can I do to limit the number of 
attempts on my server? 
Thanks tons!
Michael


This communication, including any attachments, is confidential. If you are
not the intended recipient, you should not read it - please contact me
immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it. Thank you. Please note that
this communication does not designate an information system for the purposes
of the Electronic Transactions Act 2002.

No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.485 / Virus Database: 269.13.12/997 - Release Date: 9/09/2007
10:17 AM
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.485 / Virus Database: 269.13.12/997 - Release Date: 9/09/2007
10:17 AM