fisher123
asked on
Bombarded wtih Login Attempts after Setting Up FTP Server
I recently set up an ftp on my Windows SMB 2003. I have it set up to use a login before you can gain access. This username only has rights to the ftp and nothing else on the server. I've been bombarded with erroneous attempts to login to my server since then. Is this expected or something I should worry about? Is there a better way to configure my FTP? Thanks in advanced.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 3/31/2007
Time: 10:57:20 AM
User: NT AUTHORITY\SYSTEM
Computer: FRYE
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.103
Source Port: 1282
and...
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/29/2007
Time: 8:29:00 AM
User: NT AUTHORITY\SYSTEM
Computer: FRYE
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: FRYECOMPANIES
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: FRYE
Caller User Name: FRYE$
Caller Domain: FRYECOMPANIES
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1560
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 3/31/2007
Time: 10:57:20 AM
User: NT AUTHORITY\SYSTEM
Computer: FRYE
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.103
Source Port: 1282
and...
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/29/2007
Time: 8:29:00 AM
User: NT AUTHORITY\SYSTEM
Computer: FRYE
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: FRYECOMPANIES
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: FRYE
Caller User Name: FRYE$
Caller Domain: FRYECOMPANIES
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1560
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Depends on your firewall... once they have a username and password combination, they can do whatever that user could do. So if that user has admin access to the system, then they can do whatever they want - not necessarily through FTP, but now with that user name and password, they can access the system with remote desktop.
And I don't know that I'd be that willing to chance that someone sticks child porn on my server - that wouldn't look too good for me or my company.
And I don't know that I'd be that willing to chance that someone sticks child porn on my server - that wouldn't look too good for me or my company.
ASKER
Well is that inherent with Remote Desktop also? If they tried various logins through that its the same principle.
Remote Desktop is not NEARLY as scriptable as FTP. I wouldn't know where to begin to write a script for RDP... But FTP is EASY. (A programmer could do an RDP thing, but any old script kiddie can do an FTP thing).
Every port you have open to the internet is a port where someone could hack/attach you. FTP is widely known as an insecure service - the data it transmits is not encrypted at all so if someone is sniffing your line, they can easily get your password. RDP is encrypted (not necessarily the best encryption, but it IS encrypted) so merely sniffing the line will not show a hacker your user name/password.
Setting up a VPN is really the best route if you need an FTP server that allows write access. Read only access isn't too bad... just make sure the FTP and NTFS permissions don't permit write. And NEVER log in with an account that has any privileges on the system.
Every port you have open to the internet is a port where someone could hack/attach you. FTP is widely known as an insecure service - the data it transmits is not encrypted at all so if someone is sniffing your line, they can easily get your password. RDP is encrypted (not necessarily the best encryption, but it IS encrypted) so merely sniffing the line will not show a hacker your user name/password.
Setting up a VPN is really the best route if you need an FTP server that allows write access. Read only access isn't too bad... just make sure the FTP and NTFS permissions don't permit write. And NEVER log in with an account that has any privileges on the system.
I would start with an unusual port
Take e.g. 62310 - this should reduce blind port scans drastically.
See http://support.microsoft.com/kb/q163285/ as reference.
Tolomir
Take e.g. 62310 - this should reduce blind port scans drastically.
See http://support.microsoft.com/kb/q163285/ as reference.
Tolomir
ASKER