RE: Mitigate FTP

[Craig Wilson <cwilson () ppilearning com>]

Hi Sarah,

If they are in Mexico, US or Canada and you are not in any of those then the chances of the sniffing the wire is so 
remote as not to be worth considering.  If they are trying to brute-force the password then your clients best bet is to 
enforce a strong password policy - set the passwords to lock after a given number of false attempts and install an IDS 
to either alert of confine the traffic.

If they are always coming from the same network blocks then you could block them at the Firewall.  If it's just 
password attempts, then I'd not worry too much.  It's worth ensuring that the server itself is full patched and that 
the IIS services are setup in such a way as to negate the possibility of anything being ran on the server itself should 
they crack a password.

Let me know if I can be of more assistance.

Craig




-----Original Message-----
Craig Wilson
Senior IT Network Administrator & Support Analyst
T. 0207 264 5113
M. 07899895510
F. 02072645101
E. cwilson () ppilearning com
W. http://www.ppilearning.com/
P Think Green - Please do not print this email unless you really need to
http://www.ppilearning.com/promotions/winserver2008register.php

This email and any attachments are confidential information and solely intended to be read by the email addressees 
above. If you inadvertently receive this email, your access is unauthorised and you may not copy, disclose, distribute 
or otherwise use this email and its contents. If you have received this email in error, please inform us immediately at 
mailto:SA () PPILearning com and delete all copies from your system. PPI Learning Services accepts no legal liability 
for the contents of this email including any errors, interception or interference, as internet communications are not 
secure. Whilst PPI Learning Services and the sender have taken every precaution to prevent transmission of computer 
viruses, should this inadvertently occur we do not accept any liability. Any offer or acceptance of a contract for 
goods or services made in this email is subject to our standard terms and conditions (available on request), unless 
other terms and conditions have been agreed in writing between authorised signatories of the parties. PPI Learning 
Services Limited. Registered Address: 3-5 Crutched Friars, London, EC3N 2HR. Registered in United Kingdom Company 
Number 06008725

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Sarah Wahl
Sent: 14 October 2008 02:47
To: pen-test () securityfocus com
Subject: Mitigate FTP

Hi All,
   I am working with a company who is using FTP and cannot switch to a
better protocol.  They have been seeing attacks which are most likely
coming from one person.  The attacker is using four different IPs
(ARIN shows them to be coming from mexico, canada and the US) with the
same brute force attack.  They are trying to guess user names using a
tool (don't know why they aren't just trying to sniff traffic). I have
suggested putting in a honey pot to try and catch the attacker and
they have locked down the service as best as possible given the fact
they are still having to use FTP.  It is being run on IIS 6.0. The
attacker can't get through the firewall, so no damage so far.  Do you
have any other suggestions for trying to catch the attacker and any
other mitigations? Any ideas would be greatly appreciated.

Thank you very much,
Sarah

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

 trying tcgcs??

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------