Defending Brute-Force Attacks against FTP Server
Friday, October 24th, 2008
Attempts at Bruce-Force Logins
You might have seen it before, tons and tons of login attempts as random users in your installation of BPFTP Server.
This is the result of a brute-force attack against the FTP Server and results in thousands of login-attempts to the ftp-server using common user-name and either default or dictionary based passwords.
The attacker is usually using several computers, from different points in the world against thousands and thousands of computers on the internet. Once a common tcp/ip port (like ftp’s port 21) is identified, it enters a mode of attack in which a connection is made to the ftp-server and the brute-force attack begins.
Kick+BAN Setting under Options
In order to combat these types of attacks, we’ve included a feature call Kick + BAN. Turning on this feature (off by default) will automatically detect these types of attacks and help to thrawt the attack by severing the control-connection and adding the attacker’s IP to the banned-ip-list, keeping them from ever connecting again.
The setting can be found by pulling down the menu Setup -> Main -> General and clicking on Options found in the left panel, then look for the checkbox labeled Limit USER / PASS.
We recommend setting the number of attempts to 5 and set the Kick + BAN.
Please Note: The Kick + BAN feature works against common brute-force attacks, where the attacker opens the control-connection and leaves it open for each login attempt made. This is a common method as the amount of time it takes to establish a tcp/ip connection for each attempt is considerably lengthy and would drastically reduce the effectiveness of a brute-force attack if a new connection needed to be made each time.