RE: [ cf-dev ] OT: NT security problem

[Justin MacCarthy]

What auth. are you using for FTP?  Could you change to SFTP?   Changing the port might be a quick workaround while you are getting it sorted. If you can deny all ips except for your users static IP address that would be a big help too.   Justin -----Original Message----- From: Justin MacCarthy [mailto:[EMAIL PROTECTED] Sent: 20 April 2004 14:25 To: [EMAIL PROTECTED] Subject: RE: [ cf-dev ] OT: NT security problem More question than answers first ....   Is it NT or Windows 2000 ? How are you coming to the conclusion that it is FTP attack? Sure its not a DOS against the FTP port? What logs do you have ? Are you running any IDS system? Have you notified your ISP or upstream provider of the attack Are your event logs filling up and being corrupted? What other info do you have ? Are most of your users user your FTP from static IP addresses? How long has the attack being going? What firewall are you using?   Justin   -----Original Message----- From: Chris Tazewell [mailto:[EMAIL PROTECTED] Sent: 20 April 2004 14:03 To: [EMAIL PROTECTED] Subject: [ cf-dev ] OT: NT security problem Sorry for another Off Topic.   I've got a serious issue with one of my web servers where some twats have launched an attack on the box by trying to login through any of the ftp user accounts.   They're running a distributed attack from lots of PCs, which must be an automated process to try FTP-ing in with different combinations of usernames and passwords.   Consequently my server keeps having to lock ftp accounts after 5 failed login attempts. None of them have got through because I have a strict policy on passwords, which are all 8 characters with Upper case, lower case and alphanumerics. I'm not too worried about anyone getting through, but I've got hell on trying to allow clients access to their FTP ares.   I'm putting my hands up and admitting that this sort of thing is beyond me. I don't know how to get the server to ignore their attempts, since I have no IP addresses to block. Event viewer only shows a computer name, like:   \\C-REZBR67BA731T   Any ideas and help would be appreciated.   Taz