FTP Server Security

[Pegun]

I recently set up an FTP server at home to share my pictures and a few of my trouble shooting programs and programming files while I'm at work/with a client/etc. I was looking at the log when i got home and someone was using a program that used every name possible, 4 per second with some sort of default password. I changed the option to kick and ban after 3 attempts but is there anything else i should do or worry about? There were two ip's used within the past two days and I have banned each of them using the first 2 ip sections (215, 37.*.*). I'm using Bulletproof FTP.

Many Thanks.

 

[jlazzaro]

DoD trying to hack your FTP? lol...

with port 21 open brute force attacks are inevitable. you could allow only known ranges (doesnt sound feasible for you with clients, etc), or block common country ranges like China, etc.

 

[JackMDS]

If it persisting collect few IP numbers and lookup who it belongs to.

If it is coming from the same ISP you can try to complain to them.

Otherwise accept that this the nature of life in the fast lane, since there is nothing you can do about it beside strong security and a Big Smile.

 

[Pegun]

Thanks guys, much obliged.

 

[jhu]

i used to get that, but on my home http server. it was amusing watching the logs logging the attempts at using windows iis exploits on my linux machine with apache. hehe. on the other hand, i wonder if those same attempts would have failed with a windows server running apache?

 

[RebateMonger]

As long as you are hosting servers, you'll constantly see attacks. Use long passwords (I typically set them at 25+ characters), keep your OS and applications fully patched, and don't use software with known exploits, and you'll resist the everyday attacks.

 

[kamper]

Originally posted by: RebateMonger
Use long passwords (I typically set them at 25+ characters)

That's admirable but I doubt it's feasible to brute force even a decent 10 character password over the internet. I'm not saying don't do it but, for instance, if you were only able to remember ~25 characters worth of password and had two accounts to protect, you'd probably be wiser to pick two totally different 12 character passwords so that if one gets nailed for other reasons (sniffing or whatever), the other is still safe. If you can memorize lots of 25 character passwords, that's pretty awesome

@OP, I'd probably have chosen http for this task, as long as you don't need to upload stuff. It's simpler in general, especially if you want to add ssl to the equation (although that's all it really buys you).

 

[spikespiegal]

(Where's Spidey - he'd know)

Can't unwanted FTP connections be tar-pitted like SMTP connections?

 

[RadiclDreamer]

I've used BPFTP in the past, running a few FTP for a few years. As long as you have it set to block after a few attempts you are fine because then it just blacklists that IP and they cant even try anymore.

 

[RebateMonger]

Originally posted by: kamper

Originally posted by: RebateMonger
Use long passwords (I typically set them at 25+ characters)

If you can memorize lots of 25 character passwords, that's pretty awesome

Passphrases FTW. It's not hard to remember or type 25-character passphrases. I'd use them all the time, but there are way too many sites that don't allow non-alphanumeric or long passwords.

Originally posted by: kamper
@OP, I'd probably have chosen http for this task, as long as you don't need to upload stuff.

Yeah. I only use FTP if the client insists on it.

 

[skreet]

Originally posted by: kamper

Originally posted by: RebateMonger
Use long passwords (I typically set them at 25+ characters)

That's admirable but I doubt it's feasible to brute force even a decent 10 character password over the internet. I'm not saying don't do it but, for instance, if you were only able to remember ~25 characters worth of password and had two accounts to protect, you'd probably be wiser to pick two totally different 12 character passwords so that if one gets nailed for other reasons (sniffing or whatever), the other is still safe. If you can memorize lots of 25 character passwords, that's pretty awesome

@OP, I'd probably have chosen http for this task, as long as you don't need to upload stuff. It's simpler in general, especially if you want to add ssl to the equation (although that's all it really buys you).

I'd recommend the OP use SCP/SFTP. It's as simple as enabling OpenSSH and there are clients for all OSes. Best of all, it's SSL secured.

 

[heymrdj]

Another good way to help is to use non-standard ports. Get SSH and FTP off 22 and 21 respectively and make some good random port numbers, specially if it's just you using it.

 

[shrumpage]

Originally posted by: RebateMonger

Originally posted by: kamper

Originally posted by: RebateMonger
Use long passwords (I typically set them at 25+ characters)

If you can memorize lots of 25 character passwords, that's pretty awesome

Passphrases FTW. It's not hard to remember or type 25-character passphrases. I'd use them all the time, but there are way too many sites that don't allow non-alphanumeric or long passwords.

Originally posted by: kamper
@OP, I'd probably have chosen http for this task, as long as you don't need to upload stuff.

Yeah. I only use FTP if the client insists on it.

Do this:

Come up with a standard word or phrase password something like thisismypass

When you go to type it in shift your hands up one row one the keyboard: 5y8wj60qww

Need special character? just make sure you have a capital in your original phrase. You have to fight the urge to move your hands back down while you type, but it does give you a password that is easy to remember but hard to crack.

 

[kamper]

Originally posted by: skreet
I'd recommend the OP use SCP/SFTP. It's as simple as enabling OpenSSH and there are clients for all OSes. Best of all, it's SSL secured.

That's what I'd usually suggest, but I've been admonished for being paranoid in threads like these so I don't bother anymore

There's also the question of clients though, if you're borrowing a customer machine to do the download. Every windows machine comes with ftp and http clients but you might have to get permission to install winscp or pscp. I still can't figure out why ms doesn't spend the 5 minutes it would take to put an scp/sftp/ssh client in the base system.