Mantorp's Journal: my ftp server is under attack

Ever since I set up an ftp server the other day attempts to connect to it are coming in from all over. So now that I have their IP addresses what's the best way to figure out where they're coming from? Not interested in vigilanteism, I'm just curious.

Dig

[just_another_sean]

On Linux you can use dig. A basic query for what domain belongs to what ip would be:

dig -x 1.2.3.4

On just about any platform you can use nslookup, you'll have to check the help for how to do reverse lookups, it's been a while since I used it.

Finally there are online services that will do pretty much the same thing for you. One of my favorites is DNS Stuff [dnsstuff.com]. Besides the reverse lookup you are asking about they can tell you a lot about DNS in general, including checking for errors on DNS Servers, checking DNS

Re:

[Mantorp]

Thanks, that DNS site is great. So far today two of the IPs trying to connect are from Germany and one from Belgium. I know the WHOIS stuff comes from their registrar, but what's the reverse DNS really telling me?

Re:

[just_another_sean]

Well ideally it tells you the host name of the machine that is connecting, but in reality it tells you what the entity who owns that block of IP addresses considers the host name. For example I call my home machine "jake" but the name I get if I do a reverse lookup on my IP is something like "h-XXX-XXX-XXX-XXX.phlapafg.covad.net" where the X's are my actual IP address.

I find a lot of times though when I reverse lookup someone who is scanning my ports or randomly trying to connect that there is no publically

real attacks?

[grub]

Are these just dictionary attacks or port scans? if so just chill and make sure you're secured :) If you run OpenBSD you can auto-drop packets from sources that try too many attempts right in pf.

Re:

[Mantorp]

I'd guess dictionary attacks as they try several passwords in quick succession. But it's funny how quickly after I set it up they started happening, only a few hours. I could change the port I suppose or hide it better, but I don't feel I should have to go through the extra 2 minutes of effort ;)

Re:

[grub]

Don't be surprised :)
As I said before, if you're using OpenBSD as a firewall you can set it to automatically block address X.X.X.X after Y attempted connections for Z amount of time.

Probably just port scans

[dave-tx]

It's been a couple of years since I ran an ftp server from home, but I remember port scans were VERY common. One thing you may want to consider is changing the port to which ftp is bound - move it to something that isn't commonly used, and it's less likely to be scanned. I'm probably just restating something you already know, though.

Another option, if you're so inclined, would be to drop all packets from IP addresses of common and repeat offenders. If you're move script-capable than I, you could probably

Re:

[Mantorp]

I'm using the FileZilla server and I turned on the autoban feature. The attempts are trying log in as administrator and one as microsoft something. I'm just cusrious as to where they're connecting from.

Re:

[Captain Splendid]

Filezilla is very sweet if you have to run an FTP server for Windows. Love that program. How's the autoban feature working for you?

Re:

[Mantorp]

The autoban is great, but I wish it would add the offending IPs to a permanent ban list rather than a 999 hour period, and that I could set the number of faulty attempts required for bannification to something less than 5.

Re:

[HokieSeas]

I see those all the time as well trying to log into our ftp site, administrator and microsoft. Every once in a while I get a proper name, like Jeff, or Bob, which amuses me since most of our ftp scans tend to come from India and one of the two Koreas.

Re:

[Mantorp]

Ever bother following up on them?

Re:

[HokieSeas]

Other than just banning the IP with our FTP software, no, we haven't followed any of them up. Our log has not shown any of them actually gaining access so we never went any farther with it. I think we get maybe one attempt to log in every two or three days, so I don't know how that compares to other ftp sites.