Asian dictionary attacks / Computer Science / Forums

Forums

4hv.org :: Forums :: Computer Science

« Previous topic | Next topic »

Asian dictionary attacks

Move Thread

LAN_403

...

Sun Nov 05 2006, 04:40AM

Registered Member #56 Joined: Thu Feb 09 2006, 05:02AM
Location: Southern Califorina, USA
Posts: 2445

Ok guys, I run a small ftp server out of my ubuntu (soon to be fedora if it makes a difference) box. You know, for sharing pics and storing data and whatnot.

In any case, now that I switched over to time warner cable (with my old company--champion-- the modem would drop of their network for hours at a time, and they refused to to fix it) I am getting attacked by script kiddies of far east origin. (I <3 whois).

If I open up the port within a day I will get someone going through a dictionay attack for an account called Administrator (which I of course do not have). I am inclined to let it go, but I worry that if I get enough of them attacking me my modem will start to have trouble... It is pretty flakey as it is (drops out for ~10 seconds a time ~10 times a day)...

So my question is what should I do? I think the normal method is to only allow like 5 attemps a day from any given ip... But my ftp software (pure-ftpd with pure-admin for monitoring) doesn't support that...

If anyone is curious, the most recent person attacking me is 221.136.78.17, if you want more I can give you about 10 of them.

I would rather not switch ftp software (I really like this one), but...

Alex

Sun Nov 05 2006, 05:42AM

Geometrically Frustrated
Registered Member #6 Joined: Thu Feb 02 2006, 04:18AM
Location: Bowdoin, Maine
Posts: 373

A quick and dirty solution would be to run the ftp service on a non-standard port. That's not terribly difficult to get around, but it might help. If you don't have a registered domain name (and you have a dynamic ip), you could try renewing your dhcp lease to get a new IP. Some well thought out iptables rules on your router or nat box would be ideal.

...

Sun Nov 05 2006, 06:00AM

Registered Member #56 Joined: Thu Feb 09 2006, 05:02AM
Location: Southern Califorina, USA
Posts: 2445

I tried a different port, still within a few hours they found it. I suppose I could try something very obscure, but I think now that they know I am here they will find it.

I would try blocking ip's, but there are just so many... Each one doesn't last more than a day or so

Any suggestions on how to get a new ip are welcome... I am on a dynamic ip, but I don't have any control over it. Rebooting the modem doesn't change it, not sure what else will. When I called tech support over the whole packet loss thing put me on hold for 30 minutes and then they hung up

Carbon_Rod

Sun Nov 05 2006, 07:11AM

Registered Member #65 Joined: Thu Feb 09 2006, 06:43AM
Location:
Posts: 1155

Well, often it is just some user that downloaded a free screen-saver with some extra features. Most hostile activity is generally a worm trying to install more proxies, Spam mailers, and zombies.

The FTP attack is rather sophisticated attempt to break the smart FTP module in most older NAT systems. It is a known issue that was patched several years ago, but is still scanned by security audit tools. I recommend avoiding it and things like lpd too (see port knock.)

Tips:
1.) Less is more: Only install the services you absolutely need.
2.) CDROM drive based firewall/servers are inherently secure.
3.) Mandatory Access Control schemes (in Redhat) are good. Backups are better.
4.) Port knock utilities keep your server in lockdown until you want access.
5.) SSH is good for some things, but PuTTY + Filezilla = SFTP is even better.
6.) Ident is off and port is stealthed (also ping, telnet, ssh, http, https, 8080, pop3, mail).
7.) Packet cookies help prevent runts but hog system resources.
8.) Auto-Ban lists with a threat detection firewall.
9.) Abandon the IP address for a few hours until you get a different one.
10.) Timed login â€“ Only during certain daily windows can the user login.
11.) Ban remote administration level accounts.
12.) Add component verification firewall like Zonealarm to your clients.
13.) Add IP Address ban list, and domain ban lists.
14.) VPN + TightVNC Java client.
15.) Keep server stuff and user stuff on physically separate machines.

Cheers,

Steve Conner

Sun Nov 05 2006, 12:04PM

Registered Member #30 Joined: Fri Feb 03 2006, 10:52AM
Location: Glasgow, Scotland
Posts: 6706

Ya, try switching from ordinary FTP to S

I don't think the script kiddies have any scripts to hax that yet. (I don't know if they ever will seeing as it's encrypted)

Alex

Sun Nov 05 2006, 02:02PM

Geometrically Frustrated
Registered Member #6 Joined: Thu Feb 02 2006, 04:18AM
Location: Bowdoin, Maine
Posts: 373

sftp still uses a username and password, so they can try to brute force it all they want. I remember kal watching as a bunch of noobs tried for days to brute force his ssh host. sftp just makes sure your transactions are safe by sending everything encrypted.

As for your IP situation, you have what is known as a "sticky" IP. It's dynamic, but it's linked to your modem's MAC address and seems only to change when it's convenient for the cable company.

Port knocking isn't a bad idea, but if you're trying to share with your friends, you don't want to have to explain it to all of them. On the other hand, if this is just for your own convenience, there are many better solutions to your problem.

Carbon Rod's #8 (Auto-Ban lists with a threat detection firewall) is probably your best bet.

...

Sun Nov 05 2006, 03:25PM

Registered Member #56 Joined: Thu Feb 09 2006, 05:02AM
Location: Southern Califorina, USA
Posts: 2445

that was what I was thinking, do you guys know of anything that is somwewhat resonably easy to set up?

BTW, as it is the only port that is not stealthed is ftp, ping is stealth, everything, at my hardware router. I know it has some random port open (b/c it is a vonage voip + router) but I could care less if someone got into that.

I used to have ssh open so that I could remote login with ssh and/or freenx, but now that I know they are after me I decided that they wasn't such a good idea (there are a few user accounts with week passwords).

SFTP is out of the question as I need to be able to get in from school (so all I have is explorer's built in client).

The attack being done on me is just a dictionary attack on me, as noted in the thread title and first post.

Sebastian

Wed Nov 08 2006, 06:56AM

Registered Member #233 Joined: Wed Feb 22 2006, 09:06AM
Location: Dortmund, Germany
Posts: 7

Well, I really know this problem since I am a university server admin. I have serveral solutions for you:

1. Look into something called port knocking. You will have to send a pre-definded ICMP sequence to you server and it will open up the FTP only to your IP afterwards
2. You could put your FTP server into a VLAN and install a key exchange server on your FTP machine. That is the way I do it. I have do identify to a Server first to login to our VLAN and that way I get an additonal network interface. This is a tunnel interface and I have a encrypted connection to the FTP server
3. SFTP is a very good idea as well. Don't do it with password and username, just use certficates that you carry on a USB stick or whatnot.

Hope that helped. If you need any further assitance I am happy to help.

Sebastian

Moderator(s): Chris Russell, Noelle, Alex, Tesladownunder, Dave Marshall, Dave Billington, Bjørn, Steve Conner, Wolfram, Kizmo, Mads Barnkob