Penetration Testing mailing list archives
RE: Mitigate FTP
From: "Pete.LeMay" <pete.lemay () whro org>
Date: Thu, 16 Oct 2008 23:40:03 -0400
The other password option is to make the users accounts Active Directory based. I've only seen dictionary attacks against local accounts... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Gary E. Miller Sent: Thursday, October 16, 2008 6:24 PM To: Sarah Wahl Cc: pen-test () securityfocus com Subject: RE: Mitigate FTP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo All! I am surprised no one has mentioned ftp with TLS (RFC 4217). It allows you to use familiar FTP clients and procedures but allows you to have the peace of minid of encrypted connections. Some clients, like IBM mainframes have FTP/TLS installed by default but push back against SSH/SFTP. Also, all of these (FTP, FTP/TLS, SFTP, SSH) are still vulnerable to brute force username/password attack. Blocking hosts on multiple bad login attempts use to work, but now I see these dictionary attacks being launched from botnet armies that only try 3 times a host against my server. To mitigate dictionary attacks you have to use really long passwords, one time passwords or public/private keys. None of these is very user friendly. RGDS GARY - ------------------------------------------------------------------------ --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 gem () rellim com Tel:+1(541)382-8588 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFI978KBmnRqz71OvMRAkOZAKC19OskJKsd9qyMCen/LGx3wFpcuwCgm/bf 70OgT5JM8kVNGfmdiZEoo7E= =FTxJ -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- RE: Mitigate FTP, (continued)
- RE: Mitigate FTP Craig Wilson (Oct 14)
- Re: Mitigate FTP David Glosser (Oct 14)
- Re: Mitigate FTP Taufiq Ali (Oct 15)
- Re: Mitigate FTP Matt - MRS Security (Oct 15)
- Re: Mitigate FTP Taufiq Ali (Oct 15)
- RE: Mitigate FTP Pete.LeMay (Oct 14)
- Re: Mitigate FTP Shreyas Zare (Oct 14)
- Re: Mitigate FTP ॐ aditya mukadam ॐ (Oct 15)
- Re: Mitigate FTP Sarah Wahl (Oct 16)
- RE: Mitigate FTP Thakrar, Saurabh (Oct 16)
- RE: Mitigate FTP Gary E. Miller (Oct 16)
- RE: Mitigate FTP Pete.LeMay (Oct 17)
- RE: Mitigate FTP Gary E. Miller (Oct 17)
- RE: Mitigate FTP Pete.LeMay (Oct 17)
- RE: Mitigate FTP Thakrar, Saurabh (Oct 16)
- Re: Mitigate FTP Augusto Augusto (Oct 17)