i've just gotten a mobile plan that includes 4mb a month bandwidth which is
about 200 emails. anything over that i pay for. i also run a windows 2003
server that is the frequent subject of FTP dictionary attacks. whenever
somebody tries to FTP using something like 'administrator' or 'guest', an
event log is added with the failed login attempt. any security logs added
generate a new email sent to my account. as any of you know who've been
subject to these kinds of attacks, they can last hours and generate tons of
event logs (and, in my case, hundereds of emails).

normally, if i'm around when the attack starts, i'll add the attacker's IP
to my blocked addresses in the IIS FTP server. what i'd like to have for
those times i'm not around is an application that can to the same thing. i
should be able to set a trigger that says something like 'if somebody tries
to FTP in and fails 3 times within 1 minute, add them to the list of blocked
addresses.'

anybody know of an app like this?

tks

Dica wrote:
> i've just gotten a mobile plan that includes 4mb a month bandwidth which is
> about 200 emails. anything over that i pay for. i also run a windows 2003
> server that is the frequent subject of FTP dictionary attacks. whenever
> somebody tries to FTP using something like 'administrator' or 'guest', an
> event log is added with the failed login attempt. any security logs added
> generate a new email sent to my account. as any of you know who've been
> subject to these kinds of attacks, they can last hours and generate tons of
> event logs (and, in my case, hundereds of emails).
>
> normally, if i'm around when the attack starts, i'll add the attacker's IP
> to my blocked addresses in the IIS FTP server. what i'd like to have for
> those times i'm not around is an application that can to the same thing. i
> should be able to set a trigger that says something like 'if somebody tries
> to FTP in and fails 3 times within 1 minute, add them to the list of blocked
> addresses.'
>
> anybody know of an app like this?
>
> tks
>
>

If you're running linux you can use iptables and the ipt_recent module
to automatically reject connections like this. There are several
examples on the web; one for SSH (which you should be able to easily
modify for FTP) is at
<http://forums.fedoraforum.org/archive/index.php/t-56900.html>

I use something similar to:

# Kill ftp hackers - watch for more than 3 connection attempts in under
# 60 seconds and reject for 5 minutes
iptables -N FTP-EVIL
iptables -A FTP-EVIL -m recent --name badFTP --set -j LOG --log-level
DEBUG --log-prefix "evil FTP user: "
iptables -A FTP-EVIL -j REJECT

iptables -N FTP
iptables -A FTP -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FTP -p tcp --syn -m recent --name badFTP --rcheck --seconds
300 -j REJECT
iptables -A FTP -p tcp --syn -m recent --name ftpconn --rcheck --seconds
60 --hitcount 3 -j FTP-EVIL
iptables -A FTP -p tcp --syn -m recent --name ftpconn --set
iptables -A FTP -p tcp --syn -j ACCEPT

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
EMAIL REMOVED
==================