There
are two views:
1.
Lock down server by disabling FTP (same as DoS really). Makes them aware that
you are aware, they may stop trying and you lose opportunities to trap
them.
2. Get
the police involved to investigate during the attack to get hard
evidence.
They
are probably using "bounces" to attack the box. You would need to monitor the
connection of a bounce host to find the originating host. Worst case they have
multiple bounce hosts in a chain. In this case you need the aid of the police to
extract that information from the ISPs.
-
Peter
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 20 April 2004 14:17
To: [EMAIL PROTECTED]
Subject: Re: [ cf-dev ] OT: NT security problem
What's your FTP server? Does it not have logs keeping track of the IP's? If not, change it for one that does, and is easier to administer security.
You could also try blocking port 21, which will shut off all FTP access, until you get things sorted. Possibly you could open up a more obscure port and let your client's know, so they will still be able to access it while the hackers are stopped.
Do you have any IDS software, or does your firewall have logs, that might identify these guys IP's? Ultimately you're going to have to find out the IP's, then contact each ISP to try and make them aware, who then have to ensure their customer's secure their computers.
What about setting up an FTP account that they could get into, but with limited rights (e.g. limit upload size to under a megabyte), and see if they leave any clues behind as to what they're up to (presumably looking for storage space for hosting warez), that could help identify the cluprits.
"Chris Tazewell" <[EMAIL PROTECTED]> 20/04/2004 14:03
Please respond to dev
To: <[EMAIL PROTECTED]>
cc:
Subject: [ cf-dev ] OT: NT security problem
Sorry for another Off Topic.
I've got a serious issue with one of my web servers where some twats have launched an attack on the box by trying to login through any of the ftp user accounts.
They're running a distributed attack from lots of PCs, which must be an automated process to try FTP-ing in with different combinations of usernames and passwords.
Consequently my server keeps having to lock ftp accounts after 5 failed login attempts. None of them have got through because I have a strict policy on passwords, which are all 8 characters with Upper case, lower case and alphanumerics. I'm not too worried about anyone getting through, but I've got hell on trying to allow clients access to their FTP ares.
I'm putting my hands up and admitting that this sort of thing is beyond me. I don't know how to get the server to ignore their attempts, since I have no IP addresses to block. Event viewer only shows a computer name, like:
\\C-REZBR67BA731T
Any ideas and help would be appreciated.
Taz
