Jump to content



Photo
filezilla ftp server

  • Please log in to reply
7 replies to this topic

#1 AndyD

AndyD

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 02-November 01
  • Location: NYC

Posted 05 October 2012 - 22:35

are on my server? I just noticed the same ip that I'm not familiar access different accounts. Is it really that easy to get user accounts from the app?


#2 +Medfordite

Medfordite

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 16-March 06
  • Location: Medford Oregon
  • OS: Win 8.1 Pro
  • Phone: Samsung Galaxy Axiom

Posted 06 October 2012 - 06:05

AS far as I know you have to build the accounts and then give access.

#3 moloko

moloko

    Neowinian Senior

  • Joined: 28-December 02

Posted 06 October 2012 - 07:08

yah you have to be able to give them accounts unless you man anonymous sign in account...make sure you do not have those. Your server should be able to see everyone that signed on.

#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 86
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 06 October 2012 - 12:18

Yeah its fairly simple to try admin, root, testuser, billy, bobby, nobody, etc.. etc. They just run through the list trying random passwords as well.

Any ftp server you put on the net is going to see this noise.

What was this top secret username they found? - ftpuser? ;)

#5 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 06 October 2012 - 12:22

For some reason the last half of my lastb log has no usernames or passwords :s but here's part of it to compare with;
aachu ssh:notty 122.55.83.138 Mon Aug 6 17:34 - 17:34 (00:00)
sales ssh:notty 211.155.233.147 Sun Aug 5 16:29 - 16:29 (00:00)
staff ssh:notty 211.155.233.147 Sun Aug 5 16:29 - 16:29 (00:00)
root ssh:notty 213.229.93.218 Sun Aug 5 13:31 - 13:31 (00:00)
root ssh:notty 184.105.154.38 Sun Aug 5 09:44 - 09:44 (00:00)
aaron ssh:notty 211.144.158.130 Fri Aug 3 14:20 - 14:20 (00:00)
root ssh:notty 31.222.158.83 Fri Aug 3 10:12 - 10:12 (00:00)
uucps ssh:notty 176.10.238.79 Thu Aug 2 07:34 - 07:34 (00:00)
root ssh:notty 86.140.51.159 Wed Aug 1 08:29 - 08:29 (00:00)
root ssh:notty 115.144.181.19 Wed Aug 1 01:37 - 01:37 (00:00)
root ssh:notty 203.162.163.160 Tue Jul 31 03:13 - 03:13 (00:00)
root ssh:notty 195.22.8.226 Tue Jul 31 02:45 - 02:45 (00:00)
root ssh:notty 119.254.88.100 Mon Jul 30 20:49 - 20:49 (00:00)
dpnroot ssh:notty 210.14.64.88 Mon Jul 30 14:34 - 14:34 (00:00)
root ssh:notty 210.14.64.88 Mon Jul 30 14:34 - 14:34 (00:00)
root ssh:notty 66.135.61.57 Sun Jul 29 11:52 - 11:52 (00:00)
root ssh:notty 210.14.64.68 Sun Jul 29 07:42 - 07:42 (00:00)
root ssh:notty 94.23.72.122 Sun Jul 29 00:40 - 00:40 (00:00)
root ssh:notty 213.206.86.210 Sat Jul 28 12:06 - 12:06 (00:00)
bin ssh:notty 213.206.86.210 Sat Jul 28 12:06 - 12:06 (00:00)

#6 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 86
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 06 October 2012 - 12:33

what? See plenty of usernames there - sales, staff, root.

Where did you pull those logs? Yeah they can go on for hundreds if not thousands of attempts from the same IP. Which is why you normally don't allow username password auth on something you want to secure - unless your going to lock it down to source IP.

my ssh server is locked to public key auth only. And sshguard kills them after 4 attempts anyway to keep the logs cleaner.

Oct  1 00:15:43 ubuntu sshguard[1219]: Blocking 200.141.223.78:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).
Oct  2 05:16:21 ubuntu sshguard[1219]: Blocking 211.155.229.103:4 for >630secs: 40 danger in 4 attacks over 1167 seconds (all: 40d in 1 abuses over 1167s).
Oct  2 10:37:04 ubuntu sshguard[1219]: Blocking 98.126.49.26:4 for >630secs: 40 danger in 4 attacks over 2 seconds (all: 40d in 1 abuses over 2s).
Oct  2 12:04:59 ubuntu sshguard[1219]: Blocking 211.144.158.130:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).
Oct  3 03:14:46 ubuntu sshguard[1219]: Blocking 187.5.66.12:4 for >630secs: 40 danger in 4 attacks over 39 seconds (all: 40d in 1 abuses over 39s).
Oct  3 15:34:39 ubuntu sshguard[1219]: Blocking 194.65.138.9:4 for >630secs: 40 danger in 4 attacks over 186 seconds (all: 40d in 1 abuses over 186s).
Oct  4 07:08:48 ubuntu sshguard[1219]: Blocking 210.118.169.5:4 for >630secs: 40 danger in 4 attacks over 26 seconds (all: 40d in 1 abuses over 26s).
Oct  4 08:24:41 ubuntu sshguard[1219]: Blocking 189.26.255.11:4 for >630secs: 40 danger in 4 attacks over 1 seconds (all: 40d in 1 abuses over 1s).
Oct  4 08:58:46 ubuntu sshguard[1219]: Blocking 91.205.189.15:4 for >630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses over 5s).
Oct  4 10:00:21 ubuntu sshguard[1219]: Blocking 201.83.151.207:4 for >630secs: 40 danger in 4 attacks over 171 seconds (all: 40d in 1 abuses over 171s).


#7 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 06 October 2012 - 12:50

My server :p
I've got sshguard on but it isn't actually active because the traffics redirected to SNORT instead and I still haven't worked out how to reinject certain SNORT packets back into iptables to sshguard :/ although SNORT does seem to block access for about 20 minutes if more than 2 connections in that time happen, again not really sure why it does that but I'm fine with it doing that haha.

#8 OP AndyD

AndyD

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 02-November 01
  • Location: NYC

Posted 09 October 2012 - 02:13

Budman, I'm probably just going to lock it down by ip. I don't see really another way of handling it since I do want to use username / passwords