FTP Admin Attack

Hi,

I'm hosting an Anonymous FTP server (read only) on IIS 5.0

I often get attacks lasting about 20 minutes of a user
attempting to login as Administrator. I have a strong
Administrator password so it always fails, but at first,
the event log would fill up with Security Autit Failures,
so I configured that to overwrite.

Even if they login as Administrator they can't do any harm
on the FTP site, but then they would know my password, which
is not good.

The attacks always come form a different IP address (of
course), but during the attack they are the same. I would
like to detect an attack and then automatically block that
IP address
..

Can this be down?

TIA
kpg

Re: FTP Admin Attack

As kpg once said in microsoft.public.inetserver.iis.security

> The attacks always come form a different IP address (of
> course), but during the attack they are the same. I would
> like to detect an attack and then automatically block that
> IP address

I've worked out how it would be done: monitor the log files for
the attack then using management objects modify the FTP site meta
data to block that IP address. If I had a script to add a blocked
IP address to the "deny" list of the FTP server I'll be set.

I've looked on MS scripting site and some other places, I'll
keep looking.

Re: FTP Admin Attack

OK.

Using the IPDeny method of the IIsIPSecurity Object works,
but there seems to be the issue of performance if the
deny list gets too long. Each brute force attack will be from
a different IP address (possibly spoofed) so blocking it
will serve no long term value, additionally if the address is
an AOL address it may be a proxy server so legit users may
be denied access.

Of course, I could add the IP address when the attack is
detected and remove it after, say, 1 hour. This would solve
all of the issues, but really all I would be doing is not
seeing the attack, the server would still have to work to
deny it.

I guess the bottom line is make sure the server is hardened
properly, patches, unused services turned off, etc... and
just ignore the attackers.

*sigh*

kpg

Re: FTP Admin Attack

This is similar to DDOS attacks, and you can't really do much at your end
except with the help of your ISP, as they have bigger trunk, traffic
control, dedicated blackbox, etc.

Speaking from experience, even with smart IDS at your DMZ level, + blocking
at the firewall. If those 'junk' traffic is bigger than your pipe, your site
will be down. Hence ISP level blocking and smart detection is the way to
go......

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"kpg" wrote in message
news:Xns97A55FCC63E30ipostthereforeiam@207.46.248.16...
> OK.
>
> Using the IPDeny method of the IIsIPSecurity Object works,
> but there seems to be the issue of performance if the
> deny list gets too long. Each brute force attack will be from
> a different IP address (possibly spoofed) so blocking it
> will serve no long term value, additionally if the address is
> an AOL address it may be a proxy server so legit users may
> be denied access.
>
> Of course, I could add the IP address when the attack is
> detected and remove it after, say, 1 hour. This would solve
> all of the issues, but really all I would be doing is not
> seeing the attack, the server would still have to work to
> deny it.
>
> I guess the bottom line is make sure the server is hardened
> properly, patches, unused services turned off, etc... and
> just ignore the attackers.
>
> *sigh*
>
> kpg
>