|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
FTP Admin AttackI'm hosting an Anonymous FTP server (read only) on IIS 5.0 I often get attacks lasting about 20 minutes of a user attempting to login as Administrator. I have a strong Administrator password so it always fails, but at first, the event log would fill up with Security Autit Failures, so I configured that to overwrite. Even if they login as Administrator they can't do any harm on the FTP site, but then they would know my password, which is not good. The attacks always come form a different IP address (of course), but during the attack they are the same. I would like to detect an attack and then automatically block that IP address .. Can this be down? TIA kpg As kpg once said in microsoft.public.inetserver.iis.security
> The attacks always come form a different IP address (of I've worked out how it would be done: monitor the log files for> course), but during the attack they are the same. I would > like to detect an attack and then automatically block that > IP address the attack then using management objects modify the FTP site meta data to block that IP address. If I had a script to add a blocked IP address to the "deny" list of the FTP server I'll be set. I've looked on MS scripting site and some other places, I'll keep looking. OK.
Using the IPDeny method of the IIsIPSecurity Object works, but there seems to be the issue of performance if the deny list gets too long. Each brute force attack will be from a different IP address (possibly spoofed) so blocking it will serve no long term value, additionally if the address is an AOL address it may be a proxy server so legit users may be denied access. Of course, I could add the IP address when the attack is detected and remove it after, say, 1 hour. This would solve all of the issues, but really all I would be doing is not seeing the attack, the server would still have to work to deny it. I guess the bottom line is make sure the server is hardened properly, patches, unused services turned off, etc... and just ignore the attackers. *sigh* kpg This is similar to DDOS attacks, and you can't really do much at your end
except with the help of your ISP, as they have bigger trunk, traffic control, dedicated blackbox, etc. Speaking from experience, even with smart IDS at your DMZ level, + blocking at the firewall. If those 'junk' traffic is bigger than your pipe, your site will be down. Hence ISP level blocking and smart detection is the way to go...... -- Show quoteHide quoteRegards, Bernard Cheah http://www.iis-resources.com/ http://www.iiswebcastseries.com/ http://msmvps.com/blogs/bernard/ "kpg" <n*@way.com> wrote in message news:Xns97A55FCC63E30ipostthereforeiam@207.46.248.16... > OK. > > Using the IPDeny method of the IIsIPSecurity Object works, > but there seems to be the issue of performance if the > deny list gets too long. Each brute force attack will be from > a different IP address (possibly spoofed) so blocking it > will serve no long term value, additionally if the address is > an AOL address it may be a proxy server so legit users may > be denied access. > > Of course, I could add the IP address when the attack is > detected and remove it after, say, 1 hour. This would solve > all of the issues, but really all I would be doing is not > seeing the attack, the server would still have to work to > deny it. > > I guess the bottom line is make sure the server is hardened > properly, patches, unused services turned off, etc... and > just ignore the attackers. > > *sigh* > > kpg > 
Other interesting topics
IUSR problem
IIS 6.0 SSL problem One-way trust, Kerberos & IIS Self signed standalone CA gives: "Windows does not have enough information to verify this certificat SSL redirects to other SSL PORT 80 ALWAYS IS CLOSED. Question: Security concerns enabling iisadmpwd for PWD change? IIS using old SSL Certificate disabling ssl v2.0 How to provide IIS to Developers |
|||||||||||||||||||||||
