Portal Home > Knowledgebase > Articles Database > IIS FTP Brute Force Attack How To Prevent At Network Level
IIS FTP Brute Force Attack How To Prevent At Network Level
| Posted by JustinK101, 01-21-2008, 09:57 PM |
| I am getting a few hundred IIS 6.0 FTP login attempts a second on my windows 2003 x64 server.
We have a Sonicwall TZ180, a full IPS and Firewall in front of the server but I cannot determine a way to block these attacks. I simply have port 25 open to all ip addresses, as I do not know a range of valid ips.
Is there any way to prevent these attacks at the firewall/hardware level? I suspect not, because the firewall doesnt know if a login attempt is valid or not.
I have enabled IPS on the firewall but doesnt appear to be stopping these attacks. Is there any way to automatically ban ips that hit port 25 X number of times in a second?
|
| Posted by Symsys, 01-22-2008, 12:02 AM |
| One thing you can do is limit the number of concurrent connections in IIS itself, that should in itself reduce the number of attacks at least. As for the sonic wall my personal advice would be get rid of it and buy a better firewall but I just don't like sonicwalls
|
| Posted by boonchuan, 01-22-2008, 12:42 AM |
| Limiting the concurrent connections in the IIS itself can lead to legitimate ftp users being unable to connect, I think the cure is worse than the problem.
|
| Posted by Symsys, 01-22-2008, 01:23 AM |
| That is true, but it depends how many FTP users he actually expects to connect to the server at any one time.
Any more than 50 connections at any one time to the server is a) going to slow the server RIGHT down especially in the 2003 server environment (Unless it's an UBER SERVER or part of a cluster, which I doubt it is), and b) is going to bring the available bandwidth right down as well.
In most circumstances, unless you actually expect your server to be a slave to the world of FTP and run like a dog, limiting the number of concurrent connections is a perfectly reasonable method of controlling your server, and is infact a recognised and widely used method of load balancing. Also if he doesn't expect more than 50 people to connect to the server at any one time it's a very quick and easy way of fixing his problem.
IMHO of course.
|
| Posted by JustinK101, 01-22-2008, 02:35 PM |
| Ok, setting the max number of concurrent connections in IIS doesnt prevent the bandwidth from entering the server though and causing excess load.
You would think there a way to do this at the firewall/hardware level? Like automatically detect a particular IP has tried connection on port 25 XX times in the last minute, block that IP for X hours.
Something like that.
|
| Posted by Symsys, 01-22-2008, 02:38 PM |
| With a decent firewall there would be, limiting the number of concurrent connections would dramatically reduce the load, unfortunately without a decent firewall there isn't much else can be done.
|
| Posted by leninsoft, 07-16-2008, 02:23 AM |
| Check out the link below to check out a detailed resolution:
leninssoft.net/blog/?p=8
Leninsoft
|
Add to Favourites 
Print this Article
Also Read
