Penetration Testing mailing list archives
Re: Mitigate FTP
From: Matt - MRS Security <matt () mrssecurity com>
Date: Wed, 15 Oct 2008 19:52:54 +0100
Sorry Taufiq to pick on your post it was the one at the bottom.Everyone is suggesting implementing an IPS/IDS. You should consider implementing an Network Intrusion Prevention System (NIPS) (http://en.wikipedia.org/wiki/Intrusion-prevention_system) dependent on your firewall technology and network topology this should not be to hard to implement. The NIPS system will detect the attack and either block the attack at the firewall or the router (dependent on router or firewall - i would consider firewall due to the router working pretty hard anyway).
As Taufiq has mentioned no matter what alternative service/protocol you may offer you will still get hammered.
As mentioned in a private email to you consider ACL's on the firewall to specific hosts if it is a B2B based service, also consider an ACL on the FTP to prevent access if the firewall is compromised or spoofed (it happens).
Stong password policies and non-default usernames (admin, veritas, backup, administrator, root, etc) are the way forward.
Sniffing will only be possible if the attacker is in the same network segment as your FTP service, on a vulnerable downstream or upstream router from yourselves or people who access the FTP.
Thanks Matt. Taufiq Ali wrote:
Hi Sarah,I see no point having alternative to FTP just because some is trying to brute force it. Any alternative protocol like SFTP, SSH etc does not stop a person from doing a brute force. The ideal thing to mitigate this is to have a IPS/IDS or a Firewall that block the traffic coming from the pool of IP address used for attacks. Also harden the FTP box & enforce strong password policy. And bearing in mind the remote locations sniffing is not even worth considering.Taufiq -------- Original Message -------- Subject: Re: Mitigate FTP From: David Glosser <david.glosser () gmail com> To: Sarah Wahl <scwahl () gmail com> CC: pen-test () securityfocus com Date: 10/15/2008 1:27 AMhow about using something like moveit (http://www.ipswitchft.com/)? Clients still use ftp but then the file itself is transferred to your actual ftp server? On Mon, Oct 13, 2008 at 9:46 PM, Sarah Wahl <scwahl () gmail com> wrote:Hi All, I am working with a company who is using FTP and cannot switch to a better protocol. They have been seeing attacks which are most likely coming from one person. The attacker is using four different IPs (ARIN shows them to be coming from mexico, canada and the US) with the same brute force attack. They are trying to guess user names using a tool (don't know why they aren't just trying to sniff traffic). I have suggested putting in a honey pot to try and catch the attacker and they have locked down the service as best as possible given the fact they are still having to use FTP. It is being run on IIS 6.0. The attacker can't get through the firewall, so no damage so far. Do you have any other suggestions for trying to catch the attacker and any other mitigations? Any ideas would be greatly appreciated. Thank you very much, Sarah
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Mitigate FTP Sarah Wahl (Oct 14)
- Re: Mitigate FTP exzactly (Oct 14)
- RE: Mitigate FTP Craig Wilson (Oct 14)
- Re: Mitigate FTP David Glosser (Oct 14)
- Re: Mitigate FTP Taufiq Ali (Oct 15)
- Re: Mitigate FTP Matt - MRS Security (Oct 15)
- Re: Mitigate FTP Taufiq Ali (Oct 15)
- RE: Mitigate FTP Pete.LeMay (Oct 14)
- Re: Mitigate FTP Shreyas Zare (Oct 14)
- Re: Mitigate FTP ॐ aditya mukadam ॐ (Oct 15)
- Re: Mitigate FTP Sarah Wahl (Oct 16)
- RE: Mitigate FTP Thakrar, Saurabh (Oct 16)
- RE: Mitigate FTP Gary E. Miller (Oct 16)
- RE: Mitigate FTP Pete.LeMay (Oct 17)
- RE: Mitigate FTP Gary E. Miller (Oct 17)
- RE: Mitigate FTP Pete.LeMay (Oct 17)
- RE: Mitigate FTP Thakrar, Saurabh (Oct 16)
- Re: Mitigate FTP Augusto Augusto (Oct 17)