Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Bombarded wtih Login Attempts after Setting Up FTP Server

Posted on 2007-03-31
6
Medium Priority
?
687 Views
Last Modified: 2013-12-04
I recently set  up an ftp on my Windows SMB 2003. I have it set up to use a login before you can gain access. This username only has rights to the ftp and nothing else on the server. I've been bombarded with erroneous attempts to login to my server since then. Is this expected or something I should worry about? Is there a better way to configure my FTP? Thanks in advanced.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            3/31/2007
Time:            10:57:20 AM
User:            NT AUTHORITY\SYSTEM
Computer:      FRYE
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC000006D
       Substatus code:      0xC0000133
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.0.103
       Source Port:      1282

and...
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            3/29/2007
Time:            8:29:00 AM
User:            NT AUTHORITY\SYSTEM
Computer:      FRYE
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      admin
       Domain:            FRYECOMPANIES
       Logon Type:      8
       Logon Process:      IIS    
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      FRYE
       Caller User Name:      FRYE$
       Caller Domain:      FRYECOMPANIES
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1560
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


0
Comment
Question by:fisher123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 1000 total points
ID: 18829005
This is absolutely to be expected - there are scripts out there people use to find open FTP ports and then to try to login to them using common user names and passwords.  When successful, they tend to be used as storage places for illegally distributed software, pornography, and other things less then nice people like to download.

If you want to be safe, don't use FTP - or turn the service off when you're done using it.  Otherwise, this is just going to keep happening unless you setup some sort of IPSEC policy between your server and specific clients.

in general, this is one reason I recommend setting up VPNs.  Have users log in to the VPN which puts them on the lan and then use FTP (no ports for FTP would be open and thus you don't have this problem).
0
 

Author Comment

by:fisher123
ID: 18829040
Thanks for the help. I doubt they will gain access. The only thing they can do is what you said. They wouldn't be able to access the server in anyway?
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 18829056
Depends on your firewall... once they have a username and password combination, they can do whatever that user could do.  So if that user has admin access to the system, then they can do whatever they want - not necessarily through FTP, but now with that user name and password, they can access the system with remote desktop.  

And I don't know that I'd be that willing to chance that someone sticks child porn on my server - that wouldn't look too good for me or my company.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:fisher123
ID: 18829077
Well is that inherent with Remote Desktop also? If they tried various logins through that its the same principle.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 18829091
Remote Desktop is not NEARLY as scriptable as FTP.  I wouldn't know where to begin to write a script for RDP... But FTP is EASY.  (A programmer could do an RDP thing, but any old script kiddie can do an FTP thing).

Every port you have open to the internet is a port where someone could hack/attach you.  FTP is widely known as an insecure service - the data it transmits is not encrypted at all so if someone is sniffing your line, they can easily get your password.  RDP is encrypted (not necessarily the best encryption, but it IS encrypted) so merely sniffing the line will not show a hacker your user name/password.

Setting up a VPN is really the best route if you need an FTP server that allows write access.  Read only access isn't too bad... just make sure the FTP and NTFS permissions don't permit write.  And NEVER log in with an account that has any privileges on the system.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18829167
I would start with an unusual port

Take e.g. 62310 - this should reduce blind port scans drastically.

See http://support.microsoft.com/kb/q163285/ as reference.

Tolomir
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question