RE: [ cf-dev ] OT: NT security problem

[Jerry G. Young II]

Chris,   Strong passwords aren’t going to continue to mean much with NT-based FTP services; the username and password are passed in clear text to the server.   If you must use it, though, you can configure your FTP sites to only accept incoming connections from your client’s IP addresses, providing those are limited.  If not, it’s going to be fairly hard to keep people from hitting your server.  You could also download and install IIS Lockdown to help further harden your FTP server.   Personally, however, I’d install OpenSSH (http://www.openssh.org/) and have your clients use SFTP to upload their files.  You can then remove FTP, which will get rid of port 20/21, and provide security for username and password credentials passed in connection strings since SSH is encrypted. Cordially yours, Jerry G. Young II NT/Windows System Admin III MCSE (NT4 & 2000) Enterprise Customer Operations Verio -- An NTT Communications Company From: Justin MacCarthy [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ cf-dev ] OT: NT security problem   More question than answers first ....   Is it NT or Windows 2000 ? How are you coming to the conclusion that it is FTP attack? Sure its not a DOS against the FTP port? What logs do you have ? Are you running any IDS system? Have you notified your ISP or upstream provider of the attack Are your event logs filling up and being corrupted? What other info do you have ? Are most of your users user your FTP from static IP addresses? How long has the attack being going? What firewall are you using?   Justin   -----Original Message----- From: Chris Tazewell [mailto:[EMAIL PROTECTED] Sent: 20 April 2004 14:03 To: [EMAIL PROTECTED] Subject: [ cf-dev ] OT: NT security problem Sorry for another Off Topic.   I've got a serious issue with one of my web servers where some twats have launched an attack on the box by trying to login through any of the ftp user accounts.   They're running a distributed attack from lots of PCs, which must be an automated process to try FTP-ing in with different combinations of usernames and passwords.   Consequently my server keeps having to lock ftp accounts after 5 failed login attempts. None of them have got through because I have a strict policy on passwords, which are all 8 characters with Upper case, lower case and alphanumerics. I'm not too worried about anyone getting through, but I've got hell on trying to allow clients access to their FTP ares.   I'm putting my hands up and admitting that this sort of thing is beyond me. I don't know how to get the server to ignore their attempts, since I have no IP addresses to block. Event viewer only shows a computer name, like:   \\C-REZBR67BA731T   Any ideas and help would be appreciated.   Taz