Attempted Hacks On Our FTP Server 3

[zoeythecat]

Hi All,

For several months there have been several outside IP Addresses from different countries trying to hack into our FTP server. The following system events occur:
Source = MSFTPSVC
Event = 100
(Note several different user names occur in the events. This is just one user for this example)
Message = The server was unable to logon the Windows NT account 'paul' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.

I'm looking for another solution other than the solution from thread955-1235753 because this FTP server is used for critical backups (we back up configs from a few devices). Is there any other solution other than disabling the FTP service? Are there any programs out there that can assist me in blocking these hack attempts?

Please advise.

Tia,
Zoey

 

[Sybje]

Hi,

It is very difficult to stop hack attempts...

Be glad, you have autentication on it.

On what port does your ftp-server listen? Are the ports default (I believe 20 en 21). If so, you can try to change the port.

If you choose a higher port number (5000+), it is more likely to stop these attempts to hack.

 

[Roadki11]

I would block the offending IP's at the firewall or router with ACLs. Do you have that capability?

RoadKi11

 

[Sybje]

Maybe a better idea is to block all addresses except the ones, that are allowed to access the ftp-site.

Blocking IP-adresses from where a hack attempt comes, could be an ongoing event.

 

[zoeythecat]

Sybje - Thanks for your reply. The user accounts and passwords are complex for the user accounts in question so i'm sure that's why we have not been hacked. The port is port 21. I guess I could try changing the port.

Roadki11 - There are too many IP Addresses. They are always different. each day it is a different IP address from a different Country.

 

[ArizonaGeek]

You could use a third party FTP server that blocks attempts. My FTP server software (Cerberus ftp server) has rules that I set that will block after X amount of attempts. Currently I have it set for 5 unsuccessful attempts it will block the IP for 72 hours.

Just another option to throw out.

Cheers
Rob

 

[zoeythecat]

Rob,

Thanks for the reply. That sounds like a good option. Is there a setting in Windows IIS that can do this?

 

[jshurst]

Under the ftp site in IIS look under the Security tab. Change the selection to Deny all IP's, then add exceptions to the ip address range that you want. You can add a whole range like 70.0.0.0/255.0.0.0. This way you disallow anyone from another country. I found a list of IP addresses based on regions, but I can't find it. I usually limit mine to the USA - not all just 65, 70, 71, 72, etc.

 

[zoeythecat]

Jshurst,

Awesome suggestion. I will give this a shot this week and post back.

Zoey

 

[zoeythecat]

Jshurst,

I followed your suggestion and under the Directory Security tab selected "Deny Access" except for the subnet from the devices that are being backed up. I checked the system log in event viewer and again I see a flood of the same event messages of hack attempts from countries like China, etc. Are we still in danger of being hacked? Is there anything else I can check?

Thanks for your input!

 

[Sybje]

Hack attempts will occur...

Security is based on IP address and username/password.

If the Chinese know your username and password, they won't have access due to the IP address restriction you set in IIS.

So, you are not in danger... If you want to get rid of the events, you should implement a firewall or something.

 

[jshurst]

When I implemented this my ftp logs completely slowed down and I no longer saw attempted log ins from these locations, but if you set it up correctly then you shouldn't have to worry about it because they won't be able to log in.

 

[zoeythecat]

Sybje + Jshurst,

Thanks to both of you for easing my concerns and for your suggestions. Thanks to everyone who posted.

Zoey

 

[jshurst]

NP. Glad to help.

J