Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blocking FTP requests

Status
Not open for further replies.
hookechoes

hookechoes

IS-IT--Management
Jan 25, 2007
6
I noticed my FTP log is filled with rapid hits. Is this common ... and what can i do to block these computers?

Thanks!

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-10-01 04:19:26
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
04:19:26 72.232.186.114 [1]USER Administrator 331 0
04:19:26 72.232.186.114 [1]PASS - 530 1326
04:19:26 72.232.186.114 [1]USER Administrator 331 0
04:19:26 72.232.186.114 [1]PASS - 530 1326
04:19:26 72.232.186.114 [1]USER Administrator 331 0
04:19:26 72.232.186.114 [1]PASS - 530 1326
04:19:26 72.232.186.114 [1]USER Administrator 331 0
04:19:26 72.232.186.114 [1]PASS - 530 1326
04:19:26 72.232.186.114 [1]USER Administrator 331 0
04:19:26 72.232.186.114 [1]PASS - 530 1326
04:19:27 72.232.186.114 [1]USER Administrator 331 0
04:19:27 72.232.186.114 [1]PASS - 530 1326
04:19:27 72.232.186.114 [1]USER Administrator 331 0
04:19:27 72.232.186.114 [1]PASS - 530 1326
04:19:27 72.232.186.114 [1]USER Administrator 331 0
04:19:27 72.232.186.114 [1]PASS - 530 1326
04:19:27 72.232.186.114 [1]USER Administrator 331 0
04:19:27 72.232.186.114 [1]PASS - 530 1326
04:19:27 72.232.186.114 [1]USER Administrator 331 0
04:19:27 72.232.186.114 [1]PASS - 530 1326
04:19:28 72.232.186.114 [1]USER Administrator 331 0
04:19:28 72.232.186.114 [1]PASS - 530 1326
04:19:28 72.232.186.114 [1]USER Administrator 331 0
04:19:28 72.232.186.114 [1]PASS - 530 1326
04:19:28 72.232.186.114 [1]USER Administrator 331 0
04:19:28 72.232.186.114 [1]PASS - 530 1326
04:19:28 72.232.186.114 [1]USER Administrator 331 0
04:19:28 72.232.186.114 [1]PASS - 530 1326
04:19:28 72.232.186.114 [1]USER Administrator 331 0
04:19:28 72.232.186.114 [1]PASS - 530 1326
04:19:28 72.232.186.114 [1]USER Administrator 331 0
04:19:29 72.232.186.114 [1]PASS - 530 1326
04:19:29 72.232.186.114 [1]USER Administrator 331 0
04:19:29 72.232.186.114 [1]PASS - 530 1326
04:19:29 72.232.186.114 [1]USER Administrator 331 0
04:19:29 72.232.186.114 [1]PASS - 530 1326
04:19:29 72.232.186.114 [1]USER Administrator 331 0
04:19:29 72.232.186.114 [1]PASS - 530 1326
04:19:29 72.232.186.114 [1]USER Administrator 331 0
04:19:29 72.232.186.114 [1]PASS - 530 1326
04:19:29 72.232.186.114 [1]USER Administrator 331 0
04:19:29 72.232.186.114 [1]PASS - 530 1326
04:19:31 72.232.186.114 [1]USER Administrator 331 0
04:19:31 72.232.186.114 [1]PASS - 530 1326
04:19:31 72.232.186.114 [1]USER Administrator 331 0
04:19:31 72.232.186.114 [1]PASS - 530 1326
04:19:31 72.232.186.114 [1]USER Administrator 331 0
04:19:31 72.232.186.114 [1]PASS - 530 1326
04:19:31 72.232.186.114 [1]USER Administrator 331 0
04:19:31 72.232.186.114 [1]PASS - 530 1326
04:19:32 72.232.186.114 [1]USER Administrator 331 0
04:19:32 72.232.186.114 [1]PASS - 530 1326
04:19:32 72.232.186.114 [1]USER Administrator 331 0
04:19:32 72.232.186.114 [1]PASS - 530 1326
04:19:32 72.232.186.114 [1]USER Administrator 331 0
04:19:32 72.232.186.114 [1]PASS - 530 1326
04:19:32 72.232.186.114 [1]USER Administrator 331 0
04:19:32 72.232.186.114 [1]PASS - 530 1326
04:19:32 72.232.186.114 [1]USER Administrator 331 0
04:19:32 72.232.186.114 [1]PASS - 530 1326
04:19:33 72.232.186.114 [1]USER Administrator 331 0
04:19:33 72.232.186.114 [1]PASS - 530 1326
04:19:33 72.232.186.114 [1]USER Administrator 331 0
04:19:33 72.232.186.114 [1]PASS - 530 1326
04:19:33 72.232.186.114 [1]USER Administrator 331 0
04:19:33 72.232.186.114 [1]PASS - 530 1326
04:19:33 72.232.186.114 [1]USER Administrator 331
 
Sort by date Sort by votes
Looks like someone is attempting a brute-force attack on your FTP server to try and gain access via your Administrator account.

First thing I would do is disable the Administrator account (if you haven't done so already) or at least rename it.

Are you using a firewall device? It may be possible to set it to automatically block these types of attacks depending on the brand/model you have.

Good luck,
 
Upvote 0 Downvote
Thanks for the reply

I disabled the admin account.

and went back in the log today and it now shows a different user trying to access?

any ideas on how i can stop this?

19:29:15 193.125.99.17 [4]PASS - 530 1326
19:29:15 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:15 193.125.99.17 [4]PASS - 530 1326
19:29:15 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:17 193.125.99.17 [4]PASS - 530 1326
19:29:17 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:17 193.125.99.17 [4]PASS - 530 1326
19:29:17 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:17 193.125.99.17 [4]PASS - 530 1326
19:29:18 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:18 193.125.99.17 [4]PASS - 530 1326
19:29:18 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:18 193.125.99.17 [4]PASS - 530 1326
19:29:18 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:19 193.125.99.17 [4]PASS - 530 1326
19:29:19 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:19 193.125.99.17 [4]PASS - 530 1326
19:29:19 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:19 193.125.99.17 [4]PASS - 530 1326
19:29:20 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:20 193.125.99.17 [4]PASS - 530 1326
19:29:20 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:20 193.125.99.17 [4]PASS - 530 1326
19:29:20 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:21 193.125.99.17 [4]PASS - 530 1326
19:29:21 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:21 193.125.99.17 [4]PASS - 530 1326
19:29:21 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:21 193.125.99.17 [4]PASS - 530 1326
19:29:22 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:22 193.125.99.17 [4]PASS - 530 1326
19:29:22 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:22 193.125.99.17 [4]PASS - 530 1326
19:29:22 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:23 193.125.99.17 [4]PASS - 530 1326
19:29:23 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:23 193.125.99.17 [4]PASS - 530 1326
19:29:23 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:23 193.125.99.17 [4]PASS - 530 1326
19:29:24 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:24 193.125.99.17 [4]PASS - 530 1326
19:29:24 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:24 193.125.99.17 [4]PASS - 530 1326
19:29:24 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:25 193.125.99.17 [4]PASS - 530 1326
19:29:25 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:25 193.125.99.17 [4]PASS - 530 1326
19:29:25 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:25 193.125.99.17 [4]PASS - 530 1326
19:29:26 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:26 193.125.99.17 [4]PASS - 530 1326
19:29:26 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:26 193.125.99.17 [4]PASS - 530 1326
19:29:26 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:27 193.125.99.17 [4]PASS - 530 1326
19:29:27 193.125.99.17 [4]USER tsinternetuser 331 0
19:29:27 193.125.99.17 [4]PASS - 530 1326
19:29:27 193.125.99.17 [4]USER tsinternetuser 331 0


 
Upvote 0 Downvote
the only thing that is enabled on the server firewall is HTTP passthrough
 
Upvote 0 Downvote
i just blocked all http traffic.. and the log is still building up???
 
Upvote 0 Downvote
I did a whois lookup from and that IP address 193.125.99.17 is coming from Russia. Do you have a security person on staff or a contractor you can contact to help you?

What type of firewall do you have in place, and do you know how to configure it to block these attacks?

They see an open hole and are trying to find a way into your network. You need someone with security expertise to help you make sure your network is secure and locked down.

If you don't have a firewall, unplug the internet connection and contact someone to come in and do a security audit of your infrastructure. They can help you make sure you're doing everything you can to secure your network.

Good luck,
 
Upvote 0 Downvote
Thanks again for the reply

Im just using 2003 server R2 on my home network to serve a website. Nobody is suppose to have access to the server. I did have FTP on to transfer some files. I turned it off for now.

Im also using a D-link DFL-700 hardware firewall. Im not sure how to set it up to block this sort of activity though? I only have Port 80 open on the firewall.
 
Upvote 0 Downvote
If those entries are appearing in your FTP logs the prot 21 is open through your firewall.

Nobody will have access to your server, all that is happening is a script is running looking for unsecured FTP or FTP using common usernames and weak passwords. It's fully automated and just runs through groups of IPs looking for possible anonymous ftp hosts. 'fraid it's just part of everyday life when running a server.
I did a test a couple of years ago and left a FTP site open deliberately. About 150 meg of video (pr0n judging by the filenames) all encoded and inaccessible were dropped on my server drives several hours later and were being downloaded by others.

Either block port 21 at the firewall or turn off the logging the response status is 530 so nobody is getting in there.
Manual for the DFL 700 is at PDF file.



Chris.

Indifference will be the downfall of mankind, but who cares?
Woo Hoo! the cobblers kids get new shoes.
People Counting Systems

So long, and thanks for all the fish.
 
Upvote 0 Downvote
Well, blocking the IP or the account will make sure that no matter how many times they try, the brute force robot will never get in, but your server will still respond to every request for hours on end using precious resources and bandwidth. I've written a small application in .NET that will stop your server from responding completely. You'll see a few entries in your logs, but once the app sees the attack those entries will cease from that IP. It works for me, but I would need to add some additional configuration options if I were to distribute it. So, that being said, would anyone here pay 3-5 bucks for something that would solve this problem once and for all? Also let me know if you'd prefer a windows service over a desktop application though I'll probably write both and give you guys a choice. I know there's no selling allowed in this forum, but I'm not selling anything yet, just trying to gauge if there's any demand for something like this.

Please reply in this thread or contact me.

Thanks.

 
Upvote 0 Downvote
Since it looks like it's coming from different IP addresses, you may very well have a zombie attack going on.

If you don't want to allow any FTP access, then turn off port 21 in your firewall. That will stop it completely.

I ended up having to do that on my linux box at home... now if I need to get into it, I use ssh and log in then transfer files that way.



Just my 2¢
-Cole's Law: Shredded cabbage

--Greg
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
578
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
RDWeb server getting hit with odd logon requests....
Replies
1
Views
241
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
FTP Issues
Replies
9
Views
453
SamBones
SamBones
Stijn
  • Locked
  • Question
No access from LAN to FTP-site with SSL
Replies
0
Views
119
Stijn
Stijn
1DMF
  • Locked
  • Question
FTP - home directory inaccessoible
Replies
1
Views
146
1DMF
1DMF

Part and Inventory Search

Sponsor

Back
Top