Security Basics mailing list archives
RE: Massive failed FTP attempts.
From: "Dan Denton" <ddenton () remitpro com>
Date: Wed, 12 Sep 2007 08:31:49 -0500
If it hasn't been mentioned yet, denyhosts may be a viable solution. It's normally used to secure SSH daemons against brute force attacks, but we've configured it to secure ftp servers as well. www.denyhosts.net They have a mailing list on sourceforge that was invaluable for us in getting our installation up and running. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of whip () netspace net au Sent: Sunday, September 09, 2007 7:35 PM To: 'Paul Conaghan'; 'Michael Nielson'; security-basics () securityfocus com Subject: RE: Massive failed FTP attempts. Changing the default port really isn't going to help the situation. Scanners such as nmap can do a service scan, which will determine what exactly is running on each open port, even if they are non standard. All you can really do is keep your installation up to date, use strong passwords, and don't create unnecessary accounts. Scott -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Paul Conaghan Sent: Wednesday, 5 September 2007 6:18 AM To: Michael Nielson; security-basics () securityfocus com Subject: RE: Massive failed FTP attempts. What port are you running the FTP on? Port 21? First thing to do would be to choose another port for it. 21 is constantly scanned for open FTP's and brute force attempts. It could also be that they are attempting to run this exploit that was released public a little while ago for ProFTPD http://www.milw0rm.com/exploits/4312 Appears it has a Brute Force section also. If you make it harder for them to find the ProFTPd installation though, you will get less hits. Quickest way to do this is to use a random port. Cheers Paul -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michael Nielson Sent: Saturday, 1 September 2007 3:33 p.m. To: security-basics () securityfocus com Subject: Massive failed FTP attempts. I run several small LAMP virtual servers, I've noticed a large amount of failed FTP login attempts, these all attempt to login with common FTP usernames like Administrator, or webmaster (the FTP server is proFTPd version 1.2.10). The attacker will try from one IP address maybe 30 or 40 times and then moving to a new IP address. I have several questions, first what are they trying to do? Crack my password? Or exploit a bug with proftpd? I've been more diligent about choosing a difficult to break password. More important what can I do to limit the number of attempts on my server? Thanks tons! Michael This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.485 / Virus Database: 269.13.12/997 - Release Date: 9/09/2007 10:17 AM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.485 / Virus Database: 269.13.12/997 - Release Date: 9/09/2007 10:17 AM
Current thread:
- Massive failed FTP attempts. Michael Nielson (Sep 04)
- Re: Massive failed FTP attempts. l00t3r (Sep 04)
- RE: Massive failed FTP attempts. Paul Conaghan (Sep 04)
- RE: Massive failed FTP attempts. whip (Sep 11)
- RE: Massive failed FTP attempts. Dan Denton (Sep 12)
- RE: Massive failed FTP attempts. whip (Sep 11)
- RE: Massive failed FTP attempts. James Finnican (Sep 04)
- RE: Massive failed FTP attempts. Mark Sutton (Sep 05)
- Re: Massive failed FTP attempts. Robert Bauer (Sep 06)
- Re: Massive failed FTP attempts. Robert Bauer (Sep 07)
- Re: Massive failed FTP attempts. Oumar Niane (Sep 11)