I think someone is trying to hack my FTP server

[Soapy.Illusions]

Well I turned an old PC into an http and FTP server just for fun and so I could get files anywhere in the world... So I am no server genius (very far from it) anyways I logged into it remotely today and saw that FileZila had thousands upon thousands of login attempts

Guy was trying to login as Administrator (but I could not see what passwords he was attempting)

My theory is he has a program running that looks for random ftp:// sites then he brute forces them trying to login as Admin, to then tunnel traffic (again a complete guess)

Anyways am I right at all or completely crazy, and how could I stop him

Btw the IP address leads to somewhere in Romania...

[Trajik]

You will generally find with any sort of Server you open up to the Internet (FTP or WEB) that you get a lot of random access attempts from around the world. You are right in saying these are usually automated scripts or bots doing this. Best thing to do is make sure that the server is fully up to date with latest patches and your passwords for it are strong. (Most ideal solution would be to have that FTP server behind a firewall and VPN in to get to it or something similar, but we can't always have perfect solutions for every situation)

One thing to do is if these login attempts are all coming from the same IP range, you could block that on whatever firewall you are using. But like I said, you will notice a lot of this kind of thing if your server is accessable on the Internet. One thing you could try to limit the attempts is to change the default port the FTP service listens to by default. So no doubt this is still on port 21. If you change it to something high and random you will get less hits.

[digip]

Make sure to use an FTP server that can do secure ftp, or even go with something like SSH for SCP. Like above post, any ports found open on your network, make you a target. Best to use a VPN if possible. Also make sure your FileZilla server is updated to latest patched versions. Dont want someone breaking in due to flaw in the server itself, but even then, Brute Forcing may still allow them into your machine if they have enough attempts and time on their hands.

Best thing is to block their IP at the firewall if possible. If not, try getting a new IP address from your ISP by poweing off your modem for a few minutes, and if possble, change the mac address on the router itself, which will force a new DHCP request with your ISP (will also require to power off/on the modem after changing the routers mac address).

A lot of times, these attempts from Russia and China are not live people, and more or less automated sweeps by scripts and rouge software, so if running any kind of services from home, get used to the fact that you will see this sort of thing on a regular basis.

1 thing you can try for paranoia reasons as well, run Ace Password Sniffer, and just let it stay up all the time when you are away. A fellow classmate had someone break into his machine once, and he managed to catch the attackers own user and password for where he was storing stuff he was stealing, so he gave himself away by uploading directly to his own network. Needless to say, my friend got in and deleted all his stuff off the guys server.

[Sparda]

The point of Secure FTP is to encrypt the communication, it won't stop random login attempts.

There are bots that are just sat scanning ports of common services looking for potential 'victims' then just trying the most common usernames and passwords. Many services are vulnarable to this type of attack (including some VPN services). Providing that your username is not 'administrator' or 'user' they will have a hard time first guessing your username (some thing that is considered not hidden). Then they have to figure out what the password is if they do know what your username is. Best defence against this type of brute force attach is to have the IP address get black listed after 5 (or so) invalid login attempts, thus dramatically increasing a attackers attack time. Alternatively, you can run the service on a non-standard port which will reduce it's exposure, however I would consider this security threw obscurity, and any one who was explicitly targeting you would find it. You generally don't have any thing to worry about providing you have a non-default username and a good password... unless your ftp service is vulnerable*.

* If you run a service and it is vulnerable either through a bug in the software or misconfiguration, a good password probably won't save you. Best defence against vulnerable software is to keep it up to date and keep an eye out of vulnerabilities related to it. Best defence against misconfiguration is to know exactly what the configuration should be.

[metatron]

Just change the port to something random to make it harder for people that are just scanning for common services and have your server block any IP address after three password attempts.

[digip]

The point of Secure FTP is to encrypt the communication, it won't stop random login attempts.

I totally agree, but might also mitigate the client who would otherwise be using standard ftp, and if it only accepts SFTP, they wont be able to authenticate. I would even avoid FTP for something like VPN in, or set up SSH and SCP. One other reason for the secure ftp though, is that if he is somewhere that someone is sniffing the line when he tries to access his home ftp server, ftp itself sends all the info in the clear, ala plain text. ;)

Having it use SFTP would be at least one level more of protection, evne if it wont stop a brute force. Bruteforcing into any service, encrypted or not is always an option for attack vectors. Whether they get in or not just depends on your networks level of defense(or offense) and if you are detecting the attempts and then blocking them after a number of invalid tries.

[barry99705]

You should also not use "normal" user names. IE, don't use administrator, admin, Bob, Steve, stuff like that. From what I've seen JoeBob23 would never come up as a user name for the bots doing these kinds of attacks.

[shonen]

1 thing you can try for paranoia reasons as well, run Ace Password Sniffer, and just let it stay up all the time when you are away. A fellow classmate had someone break into his machine once, and he managed to catch the attackers own user and password for where he was storing stuff he was stealing, so he gave himself away by uploading directly to his own network. Needless to say, my friend got in and deleted all his stuff off the guys server.

I laughed pretty hard at the above, gotta love man made karma. =D

+1 For all the advice above.

I don't mean to high-jack the OP's topic but I have a question of my own that is somewhat related. I have an Ubuntu 9.04 server and was curios about access log files and what have you. I recall reading somewhere that you can view previous entered commands an such for users and administrators in a nix box and was wondering on how you do that.

I recently gave a fellow classmate a vpn account and virtual appliance for study. I trust her having access to it but there is always that question of her computer getting something nasty that key logs the p.c. So suggestions on managing/monitoring this would be greatly appreciated.

Also my bandwidth is a little sucky (40gb) and I am not sure what the newly implemented server is gonna suck down, any ideas as to how to keep track of this on a esxi VM box with ubuntu 9.04? In the event it is breaking my cap I at least wanna know how much came from this one machine so I have an idea of what I should up my download limit to when I change plans.

[theSuperman]

Before my ISP blocked incoming connections on port 80 (shame on you, PTD), I would randomly get people trying to accesss mysql folders on my webserver. This would happen at like 4am. I would just block the IP address from my router and be done with it. As people have already said, just make sure to use a strong password and limit the number of allowed login attempts. Oh and ensure anonymous logins are disabled!

[digip]

I don't mean to high-jack the OP's topic but I have a question of my own that is somewhat related. I have an Ubuntu 9.04 server and was curios about access log files and what have you. I recall reading somewhere that you can view previous entered commands an such for users and administrators in a nix box and was wondering on how you do that.

There is a file that saves all your bash commands in somehtign like ".bash_history" or something like that, but you can also edit the file, deleting yoru tracks. I think there is even an option to how much is saved in it, because eventually it starts to overwrite itself if Im not mistaken.

[shonen]

Ah cool thanks for that digip, I will have to put it to the all knowing google. I swear I love google its much like a women with the one difference that it does actually know everything =P

<.<

>.>

Hope my missus aint stalking me online. I may be short one testicle.