[COLUG] FTP attacks

Thomas J. Noe tnoe at mailsnare.net
Sat Jul 8 09:08:59 EDT 2006 

On Friday 07 July 2006 21:40, Steve Roggenkamp wrote:
> It looks like someone(s) is attempting to hack FTP servers from multiple
> IP addresses.
>
> The modus operandi is to make a connection to the FTP server then
> attempt to log in using a variety of user names and passwords.  Normally
> they attempt 2283 passwords, then they may close the connection.  At
> times they may attempt multiple user names using the same connection,
> keeping it open for long periods.
>
> I have missed this since the daily log summary only shows a few
> connections.  I found it when diagnosing a problem for a user.
>
> The attackers are persistant, one IP address has almost two million
> attempts.  When I do an nslookup on the IP, almost all come back with
> NXDOMAIN.  Not surprising.
>
> It looks like these have been going on since late April, but it does not
> appear that any attempts have been successful.  I'm still analyzing the
> logs.
>
> Steve
> _______________________________________________
> colug432 mailing list colug432 at colug.net
> http://www.colug.net/mailman/listinfo/colug432

I have SSH open on my router and my server was getting inundated with SSH 
attempts -- so much so that it was denying legitimate traffic. I found a 
great tool to help monitor and mitigate the problem - DenyHosts. It was 
designed specifically for SSH, but I believe you can monitor any port. There 
is a daemon process that runs in the background and will check your logs for 
log-in attempts. If it detects too many login attempts from the same IP over 
a specific period of time, it will block that IP address for whatever length 
of time you like. I find that blocking for 10 minutes is long enough to deter 
the "bots" out there. It also interfaces with sendmail (if you want) to send 
out emails of when and which IP address has been blocked. It hasn't stopped 
me from getting attacked, but at least within 30 seconds, the attack is 
stopped. Plus, I still have the IP address in my logs if I want to do further 
analysis.

-- 

Best wishes,
    Tom

E: tnoe AT mailsnare DOT net
B: tom.noe AT mycingular DOT blackberry DOT net
P: tomnoe AT cingularme DOT com

PGP keyID 0x938FFB9A
gpg --keyserver pgp.mit.edu --recv-keys 938FFB9A
MOTD: find / -name \*yourbase\* -exec chown us:us {} \;

More information about the colug432 mailing list