![pen-test logo](/images/pen-test-logo.png)
Penetration Testing mailing list archives
RE: Mitigate FTP
From: christopher.riley () r-it at
Date: Wed, 15 Oct 2008 10:31:51 +0200
Looks like an interesting script. However you always have to think about the consequences of IP banninf very carefully before implementing this kind of solution. It's possible for an attacker to spoof the source IP to force your systems into banning IP addresses that you need access to. It looks like this script only bans access to the FTP service, which shouldn't be a problem unless the attacker knows the IP address of your clients. If you have to use FTP, and I've seen companies that still do, a whitelist solution may be the best way to go depending on how many clients you have. It becomes unworkable at large volumes, but I've seen it done upto a few hundred accounts without too much overhead. Even moving to a secure protocol like SFTP won't stop brute-force attempts (unless you're using certificates to perform authentication). Do you have any logs of the brute-force attempts (censored of course). It might be fun to examine them for some more details. Chris pen-test-return-1078487292 () securityfocus com Gesendet von: listbounce () securityfocus com 15.10.2008 00:33 An scwahl () gmail com, pen-test () securityfocus com Kopie Thema RE: Mitigate FTP I've been using a variation of the scripts here, http://blog.netnerds.net/category/iis/. Hers looks for failed login attempts as administrator and bans the IP, but you can modify it to look for whatever login(s) you want and block the IP. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Sarah Wahl Sent: Monday, October 13, 2008 9:47 PM To: pen-test () securityfocus com Subject: Mitigate FTP Hi All, I am working with a company who is using FTP and cannot switch to a better protocol. They have been seeing attacks which are most likely coming from one person. The attacker is using four different IPs (ARIN shows them to be coming from mexico, canada and the US) with the same brute force attack. They are trying to guess user names using a tool (don't know why they aren't just trying to sniff traffic). I have suggested putting in a honey pot to try and catch the attacker and they have locked down the service as best as possible given the fact they are still having to use FTP. It is being run on IIS 6.0. The attacker can't get through the firewall, so no damage so far. Do you have any other suggestions for trying to catch the attacker and any other mitigations? Any ideas would be greatly appreciated. Thank you very much, Sarah ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ ---------------------------------------- Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908 Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications. ---------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- RE: Mitigate FTP, (continued)
- RE: Mitigate FTP Pete.LeMay (Oct 14)
- Re: Mitigate FTP Shreyas Zare (Oct 14)
- Re: Mitigate FTP ॐ aditya mukadam ॐ (Oct 15)
- Re: Mitigate FTP Sarah Wahl (Oct 16)
- RE: Mitigate FTP Thakrar, Saurabh (Oct 16)
- RE: Mitigate FTP Gary E. Miller (Oct 16)
- RE: Mitigate FTP Pete.LeMay (Oct 17)
- RE: Mitigate FTP Gary E. Miller (Oct 17)
- RE: Mitigate FTP Pete.LeMay (Oct 17)
- RE: Mitigate FTP Thakrar, Saurabh (Oct 16)
- Re: Mitigate FTP Augusto Augusto (Oct 17)