Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Preventing attacks on FTP server

Status
Not open for further replies.
Daveyd123

Daveyd123

MIS
Aug 25, 2004
413
US
I have an FTP site setup through IIS. My FTP site sits on the inside of the firewall and I have one of our public IPs NATd.

I have setup AD users with appropriate ACLs to be able to access the FTP externally, which they can.

Looking at my FTP logs over the past couple of days, it has shown that several IP addresses located in Korea have tried to access the FTP site using brute force. The logs shows 1000+ login attempts using the username "admin", "ftpuser" and "administrator", EVERY second from midnight to 6am.

If I indeed had actual accounts listed above, the would constantly be locked out.

I was thinking about restricting IP addresses on the server but that would be quite an undertaking as we have hundreds of people accessing the site.

Is there any way to avoid this type of attack? Would it have to be done one the server or firewall side?
 
Sort by date Sort by votes
As a start have you tried blocking the address ranges for the IP addresses based in Korea? If the FTP server is to be publicly accessed then it's kinda hard to stop people from accessing it. If FTP is not required from the outside, try blocking FTP on your router/firewall.
 
Upvote 0 Downvote
The server has to be accessible externally.

I was thinking about trying to restrict IPs to just the United States. But, that still doesn't prevent someone trying to launch a brute force or dictionary attack on it.
 
Upvote 0 Downvote
Well you may want to consider implementing some sort of Host based Intrusion Detection software which will look for brute force attacks otherwise the more expensive solution is to put an IDS device on your network.
 
Upvote 0 Downvote
We have an ASA 5510 with an IPS module. I have to check that out to see what I can do on it to prevent the attacks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
430
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
529
Aquiles Vidal
Aquiles Vidal
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
578
DrB0b
DrB0b
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
689
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
433
antonio_dsanchez
antonio_dsanchez

Part and Inventory Search

Sponsor

Back
Top