Re: ftp server question

Borked Pseudo Mailed wrote:

Rick Merrill wrote:


Maybe you can tell us HOW these attackers find the IP numbers of
systems that are running FTP (or others services) ???


Too easy. Nmap is more than capable of scanning huge chunks of the
net for specific services and spitting out nicely formatted lists.
And I'd wager there's specialized software for people who are too
script kiddie to figure out nmap.

The standard practice as I understand it is to run your scans and
sit on the results for a while, or trade them with your buddies.
Then some time later or from another location launch your "attack"
so that it's harder to figure out where it's really coming from.

That innocent looking port scan you see in your firewall today could
very likely be the precursor to the attack you're going to
experience next month.


So anyone running an open FTP server has probably already been 'found out' but not everyone runs a log and even fewer probably check it!


Anyone running any sort of server is likely to be 'found out' in a
matter of minutes. Hours at the outside. I run SSH, a small web daemon,
and local delivery only SMTP/IMAP servers here. I have rate limiting on
the SSH server, so it only gets attacked once every three minutes tops.
This makes most of the SSH brute force bots go away. The web server gets
probed for vulnerable CGI all the time even though it's configured to
flatly disallow CGI. When I opened up the port for the SMTP server it
took about 45 seconds to see my first attempt to use it as a relay, and
from that point on I got a pretty steady stream. At least 40 to 50
tries a day, usually more. I don't run FTP because I have that ability
via SSH (sFTP), bit I use to and got hoards of failed login attempts
in those logs too.

So yeah, if you have something actually responding on a port it's
"normal" for people to be trying to crack it. Not right mind you, but
normal. ;)

99.99% of this stuff is automated script kiddie crap, so a little
attention to your configuration like not accepting mail for non-local
delivery and keeping stuff patched/updated is sufficient to keep the
buggers at bay. Other than that just use good strong passwords when
applicable, and you should be fine.

In my humble opinion, if you're not "mentally prepared" for the
possibility that you will be owned, then it's a good idea not to run
the services to begin with. Just relax and take care of business, That
way you won't make as many mistakes. ;)


THe only account they have tried Does Not Exist!


Typical script/automated or dictionary attacks. See them every day. And
as long as you're actually seeing them you know your firewall/logging
is working. After a while it's almost reassuring to see the attempts.
I'd flip out big time if I opened my mail logs and didn't see a whole
slew of 'REJECT' entries. It would mean the daemon died, or someone
broke in. The former is better than the latter, but neither one is a
particularly good thing.


Is a VPN the only way to protect against this scanning?


No, shutting off the services and/or blocking the ports is the only
way. :)

A VPN will certainly add a layer of protection and obfuscate the fact
that services are running, yes. It will also place a burden on your
"clients" or users. If that's not a problem the it's a great idea to
just tunnel everything through a VPN. If you need access from anywhere
or by a varying clientele, then it may be problematic or outright
impossible.


"rate limiting" - upload speed from FTP server is limited to 43KB, but it doesn't slow the door-knob twisters. What is the SSH rate limiting?

All users can be id'd by IP address easily and in advance. Therefore What VPN is the easiest to install (on both ends)?

.

Relevant Pages

  • Re: Microsoft FTP Server problem on W2K?
    ... I have technical responsibility for this FTP implementation, ... Since PASV voids PORT, the client side ... connect to the server from" isn't implied by the text of the RFC. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Some questions
    ... > using my ftp software behind my router. ... > issued to server by the client. ... When PORT is used: ... > Can you give me a command line used in a browser to explain me what is the ...
    (comp.security.firewalls)
  • Re: Firewall and ftp service
    ... I'll say it again, FTP is eeeevul. ... > which redirects the traffic to my public ftp server. ... > should force the server to stay on port 21 for tha data connection, ... the client tells the server what port it will be ...
    (FreeBSD-Security)
  • Re: Firewall and ftp service
    ... FTP is eeeevul. ... >> which redirects the traffic to my public ftp server. ... > client connects to the server on port 21. ... the client tells the server what port it will be ...
    (FreeBSD-Security)
  • Re: ipfw and nmap
    ... > even be correct but I have a bsd box that is simply providing me SSH ... add allow tcp from any to me 22 setup in via fxp0 keep-state ... Note too that there is nothing to prevent port scanners simply setting ... the 'SYN' flag in the probe packets they send to your server. ...
    (freebsd-questions)