# [SOLVED] FTP Server Under Attack



## Nik00117 (Jan 8, 2007)

Ok heres bit of a log from my last hack attempt (annoying more then anything else)



> [5] Mon 24Dec07 00:16:12 - (000387) Connected to 211.166.10.104 (Local address 192.168.0.190)
> [5] Mon 24Dec07 00:16:14 - (000387) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
> [5] Mon 24Dec07 00:16:16 - (000387) Closing connection
> [5] Mon 24Dec07 00:16:16 - (000388) Connected to 211.166.10.104 (Local address 192.168.0.190)
> ...


Now I was just wondering my current only tactic is to shut down the server to stop such an attack however is there another means of stopping suck attacks which quite frankly are very annoying. 

It appears as the user uses different IP adresses, so if anyone has any information which would allow me to go ahead and stop such an account i would be very much gratefult o your effors. 

O the server FTP client I use is serv u its the full edition so I should have all the bells and whistles it runs off my main machine.


----------



## sobeit (Nov 11, 2007)

*Re: FTP Server Under Attack*

first I know nothing about ftp servers so my suggestions may be worthless but is the anyway you can rename that account from administrator to something else? or change the time for a lockout after a wrong password?


----------



## Nik00117 (Jan 8, 2007)

*Re: FTP Server Under Attack*

Um, there is no account called admin on the server. First off I never thought to use it, second off thinking of it why use such a genric name?


----------



## Cellus (Aug 31, 2006)

*Re: FTP Server Under Attack*

This sort of "attack" is actually very common for FTP servers. If you use strong, complex passwords and non-standard usernames you are fine.

Long story short, if you run a public FTP server, this sort of activity is actually expected and happens to pretty much everyone with public FTP at one point in time or another. The person (or bot) which was trying to get in was most likely using a common passwords list - going through a list of passwords commonly used by people. If you use non-standard usernames and strong complex passwords, there is no need to panic and shut it down. It happens rather often.

Make sure your FTP server is properly configured (if possible, see if you can configure it to block an IP for x number of minutes/hours if y number of login failures occur) and is behind a firewall (I recommend something stronger than relying just on the basic firewall built into your Home/SOHO router). Keep your software (including Windows and Serv-U) up-to-date. Make sure you have at least some basic security software installed such as antivirus, antispyware, and such.

There are other things you can implement, such as secure FTP (ie. Serv-U's support for SSL) and an IDS/IPS (Intrusion Detection/Prevention System), however they can be difficult to properly implement and configure and can make it difficult for everyone to access your FTP.


----------



## Nik00117 (Jan 8, 2007)

*Re: FTP Server Under Attack*

Well all my usernames are based off uses for them. And they aren't very common so I will go ahead and start up the server then.

Thanks, I will be sure to try and configure a system where after 3 failed login attempts you're banned for an hour or so.


----------



## Addy (Oct 21, 2007)

*Re: FTP Server Under Attack*

This is very common on my FTP server. I do not have an account by the name of "Administrator", and my password is very secure, so when I saw it I didn't really care about it.

Funny, upon checking my FTP server look what I see:

```
(000003) 27/12/2007 15:37:47 PM - (not logged in) (211.239.186.14)> USER Administrator
(000003) 27/12/2007 15:37:47 PM - (not logged in) (211.239.186.14)> 331 Password required for administrator
(000003) 27/12/2007 15:37:49 PM - (not logged in) (211.239.186.14)> PASS ******
(000003) 27/12/2007 15:37:49 PM - (not logged in) (211.239.186.14)> 421 Temporarily banned for too many failed login attempts
```
As you see, it's very common and not really something you should worry about. My server has the set limit of login attempts, and as you can see, it banned the IP for that.


----------



## Nik00117 (Jan 8, 2007)

*Re: FTP Server Under Attack*

I set mine up to do the same thing now as well. As is well


----------

