Blocking FTP Access By Ip

[osrk]

I run a personal FTP server for myself for group projects on a computer that I maintain on a University connection.

I go curious and I started looking at the log file and this Ip from a European country is attempting to bruteforce the administrator account. I disabled the administrator account though through the windows user policy and even set a password for it.

But the person is still trying to bruteforce. I was wondering if there was a way to block their Ip so they could not connect to bruteforce the machine through windows.

Thanks!

 

[Malk-a-mite]

What OS are you using, what FTP program are you running?

 

[PTNL]

To add another question: What firewall are you using?

 

[osrk]

Windows Xp Pro SP3, Microsoft IIS FTP, and Windows Firewall.

 

[Captain Colonoscopy]

I would suggest you use a hardware firewall to protect the server. It is not a good idea to have a computer like that just hanging out on the internets. Once you have a decent firewall in place you can setup ACLs to deny access from specific IPs or IP ranges.

 

[osrk]

I would suggest you use a hardware firewall to protect the server. It is not a good idea to have a computer like that just hanging out on the internets. Once you have a decent firewall in place you can setup ACLs to deny access from specific IPs or IP ranges.

It's behind a university hardware firewall that keeps out all the worms and viruses. They also have packet inspection to detect worms and viruses.

The issue is that the machine is secure but I would like to block certain Ip's that are maliciously trying to bruteforce it. The logfile is up to 20meg of text now.

I'm open to using different software too.

 

[Zlash]

You can restrict the IPs that can access it through IIS on the FTP servers properties.

 

[Captain Colonoscopy]

It's behind a university hardware firewall that keeps out all the worms and viruses. They also have packet inspection to detect worms and viruses.

The issue is that the machine is secure but I would like to block certain Ip's that are maliciously trying to bruteforce it. The logfile is up to 20meg of text now.

I'm open to using different software too.

If it is behind the university's firewall then request your IT person that is responsible for managing it to block that IP address from accessing FTP server. Simple ACL can take care of that.

 

[MrGuvernment]

as said if you can look under the IIS FTP properties, you can control all things there

how many people use the FTP? if anything only allow access from the IP's that need it.

what data is kept on it, if it is important enough talk to the IT department.

 

[osrk]

I'm not seeing anything under FTP properties for being able to block ips.

Nothing really to important on it. Also I would like to figure this out so if it happens again I can block it and I don't have to bother IT.

 

[Zlash]

Go to your FTP Site, right click -> properties. It's the far right tab, "Directory Security" and you can set it to deny all except from certain IPs or Accept all except certain IPs.

 

[Nenu]

Use Protowall and Blocklist manager.
Protowall runs in the background and blocks all protocols for those IP's it blocks using an IP list generated by Blocklist Manager.
Use Blocklist Manager to add new IP's
Protowall can also show you the IP's as they are blocked.

You can also use BLM to download lists of the bad places on the internet and block those too.
I have used them both for years and are excellent tools.
Vista support is limited to Vitsa32 and the IP reporting doesnt work.

Download
http://www.bluetack.co.uk/forums/index.php?act=dscriptca
Note: You dont need to download the blocklists (if you wish to use them), BLM does that for you when configured.

 

[Rampage1329]

It's behind a university hardware firewall that keeps out all the worms and viruses. They also have packet inspection to detect worms and viruses.

The issue is that the machine is secure but I would like to block certain Ip's that are maliciously trying to bruteforce it. The logfile is up to 20meg of text now.

I'm open to using different software too.

I thought universities have open information policies. I imagine they only block the most basic traffic, and wouldn't expect them to protect every machine.

 

[moetop]

I was going to say add a route for that ip address to your loopback, but windows wont let you do that.

i.e. route ADD -p [offensive ip address] MASK 255.255.255.255 127.0.0.1

But it wont work under windows..

 

[osrk]

I thought universities have open information policies. I imagine they only block the most basic traffic, and wouldn't expect them to protect every machine.

They do scanning for viruses and worms and monitor traffic behavior. There's a lot of tendencies about the firewall and security I haven't uncovered. Though I'm not solely relaying on them. I still keep my machines up to date and use antivirus along with windows firewall.

ie if my machine starts scanning multiple ip ranges very quickly they axe my connection. They also have packet inspection hardware for p2p and block all p2p traffic by default.

I'm not seeing this I'm using Xp Pro SP3 IIS v 5.11. I think i'm going to use protowall if this happens again. The attacks have seemed to have subsided at about 3:30pm.