Hi Greg, Here are the steps I would recommend:
1. Rename the administrator ID, taking care to addresses any services that run under that ID. 2. Move the server to the inside interface of the Pix, change the IP addresses on the server to the inside address space, NAT external addresses used for the server to the inside addresses, and expose only the ports you need via an access-list for traffic from the outside to inside interfaces. If you need help with that let me know. I have sample configurations I can share to show how it can be done with a Pix 515. You will still get bursty attempts at cracking FTP, but with uncommon IDs, the chance of hitting the ID/PW combo is practically zero. If you want more security against the intrusion attempts implement a lockout after X failures, potentially with an unlock after Y minutes to protect against legitimate user errors. Sorry we can be difficult at times. IT can be a stressful occupation, as you well know. Sometimes we let it come out in these forums despite our best intentions to help. Darin. ----- Original Message ----- From: "Greg Shepherd" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, April 04, 2006 7:44 AM Subject: RE: [IMail Forum] OT - MSFTPSRV I thank you all for your comments and advise. While a novice, I believe both Jay & John are correct. The server is on the public side of a Pix 515e Firewall. This server serves as Email, FTP, and Web Page Server. Yes, it is a risk there due to the public side. I have very little knowledge of Cisco Pix. I would have to look at how to block the ports. Disabling the administrator account is a good idea. If I had the resources and the funding I would upgrade equipment and software across the board. But, I have to use what I have even if it Win 98 & WinNT 4.0. I am somewhat annoyed at how mean spirited this forum can get. There are some very knowledgeable, experienced administrators servicing novices like me who wear multiple hats in small companies trying to keep the networks running. I actually had this ftp attack before. I hesitated posting an OT because of the potential firestorm. I am sure I speak for many, we appreciate your insight and passion to the Internet and attempting to clean up problems. I know it is not easily especially with the BIG Services like Comcast seem to make their own rules. Thanks again. Greg Shepherd Catalyst Manufacturing Services, Inc. -----Original Message----- From: John T (Lists) [SMTP:[EMAIL PROTECTED] Sent: Monday, April 03, 2006 5:55 PM To: [email protected] Subject: RE: [IMail Forum] OT - MSFTPSRV > 4. A firewall is a firewall. You can setup rules for either interface. > Since this server is a hosting a web site as well, I assume he requires > FTP access to modify his web content. Regardless, most firewalls are > only layer 4 aware and thus allow you to only close or open ports for > access; they do not care what traffic you are passing on those ports. > Some sort of IPS system is required to analayze traffic on layers 5-7 > and mitigate attacks as they are occuring. Your problem Jay is you are making a blind assumption that when he said "This server is on the public side of CISCO PIX515E Firewall" that the server is indeed protected by the firewall. My interpretation of his statement is that the server is not behind the firewall and has no firewall between it and the Internet. For you to go on about what a firewall does and does not do is worthless in this discussion since it has no bearing what so ever on the point in question. The terms "public" and "private" when used when talking about a firewall generally mean zones or interfaces of the firewall, public meaning the Internet or WAN or otherwise unprotected side and the private meaning the Intranet or LAN or otherwise the protected side of the firewall. Greg will have to post a clarification of what exactly he means by his statement. GEES! John T eServices For You "Seek, and ye shall find!" To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ **************************************************************************** The contents of this email and any attachments may be privileged, Confidential, and protected from disclosure. It is intended only for the use of the individual to whom it is addressed. Access to this email by anyone else is unauthorized. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Additional assistance can be obtained by emailing [EMAIL PROTECTED] Thank you. **************************************************************************** To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
