[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 805
  • Last Modified:

Prevent Brute Force

Looking for something for an sbs 2008 running IIS with FTP to help prevent brute force attempts. Both IIS/ftp and the server itself getting an outrageous amount of attempts on it.

I'm not sure what I can do about the server itself to help prevent brute force, but I think I might just use filezilla which has a built in ban for so many failed attempts. At any rate any advice would be really helpful.
0
easyworks
Asked:
easyworks
  • 4
  • 3
1 Solution
 
pritamduttCommented:
My first question would be .. have you exposed the Public IP Addresses directly on the IIS with FTP server?
If yes, it is a bad strategy, but you can start with installing an effective HIDS (Host Intrusion Detection System) Tool.

If not, you could implement certain preventing measures on your network firewall such as NIDS, Threat Detection, Blocking of IP Addresss with too many failed attempts etc.
0
 
easyworksAuthor Commented:
What do you mean by "exposed the Public IP Addresses directly on the IIS with FTP server"?
0
 
pritamduttCommented:
Public IP Pool directly assigned on the server...
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
easyworksAuthor Commented:
No, the public IP pool is not directly assigned on the server only the private from DHCP.
0
 
lords1979Commented:
If these attacks are coming from the same address, set firewall rules to drop packets from those addresses.
0
 
easyworksAuthor Commented:
After a couple hour it fluctuates the IP address changes.
0
 
pritamduttCommented:
In case you have a Private IP Address in FTP Server, the traffic surely must be filtering through a network firewall.

I am not sure what firewall is has been setup in your environment, but let me share that the common countermeasures for blocking bruteforce attacks include, banning the login account being attacked/ banning the ipaddress source. But that does not help in long run.


It is important to note that Brute Force attacks are mostly done using automated tools, so we can configure our firewall for IP addresses, which are creating too many new connections to our server, define a threshold and drop further packets.

It is strongly advised to implement such filtering solution at the firewall level but in case you don't have one with requisite capabilities you can look at the following options:

1. Build an application to run through each of the FTP sites, checks for bad password entries in the logs for the day, counts them up, if the number of attempts from an ip address exceeds a given number, then it adds that ip address to the denied addresses for all the FTP sites. Attached is code for one such program Source Credits  blockftpips.cs

2. Use a commercial product such as FTP Blocker


But, I would still recommend a firewall level solution.
I am also sharing a link with information on how to block brute force traffic using iptables. May be your network guy can help you.


hope this helps!

Regards,
0
 
easyworksAuthor Commented:
Thank you for your help.

As far as blockftpips.cs is all i have to do is create a scheduled task to run it I don't have to modify the script any?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now