RE: Mitigate FTP



The other password option is to make the users accounts Active Directory
based. I've only seen dictionary attacks against local accounts...

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Gary E. Miller
Sent: Thursday, October 16, 2008 6:24 PM
To: Sarah Wahl
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Mitigate FTP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo All!

I am surprised no one has mentioned ftp with TLS (RFC 4217). It allows
you to use familiar FTP clients and procedures but allows you to have
the peace of minid of encrypted connections. Some clients, like IBM
mainframes have FTP/TLS installed by default but push back against
SSH/SFTP.

Also, all of these (FTP, FTP/TLS, SFTP, SSH) are still vulnerable to
brute force username/password attack. Blocking hosts on multiple bad
login attempts use to work, but now I see these dictionary attacks being
launched from botnet armies that only try 3 times a host against my
server. To mitigate dictionary attacks you have to use really long
passwords, one time passwords or public/private keys. None of these is
very user friendly.

RGDS
GARY
-
------------------------------------------------------------------------
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701
gem@xxxxxxxxxx Tel:+1(541)382-8588

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFI978KBmnRqz71OvMRAkOZAKC19OskJKsd9qyMCen/LGx3wFpcuwCgm/bf
70OgT5JM8kVNGfmdiZEoo7E=
=FTxJ
-----END PGP SIGNATURE-----


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • RE: Mitigate FTP
    ... I am surprised no one has mentioned ftp with TLS. ... you to use familiar FTP clients and procedures but allows you to have ... To mitigate dictionary attacks you have to use really long ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: [Full-disclosure] anybody know good service for cracking md5?
    ... Actually dictionary attacks seem to work quite well, ... list of known passwords rather then dictionary approach. ... Personally, the hash table one is quite successful, consider that it targets ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: Strong Passwords Revisited
    ... not using complex passwords would mean vulnerability to ... > I tell my people the best passwords are acronyms of phrases that mean ... >>>serious damage to the concept of dictionary attacks as well as to BFI ...
    (alt.computer.security)
  • Re: Strong Passwords Revisited
    ... not using complex passwords would mean vulnerability to ... > I tell my people the best passwords are acronyms of phrases that mean ... >>>serious damage to the concept of dictionary attacks as well as to BFI ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Strong Passwords Revisited
    ... not using complex passwords would mean vulnerability to ... > I tell my people the best passwords are acronyms of phrases that mean ... >>>serious damage to the concept of dictionary attacks as well as to BFI ...
    (microsoft.public.win2000.security)