Getting brute forced

U

UnlnvlslblE

Limp Gawd
Joined
Jan 24, 2006
Messages
272
Well my internet connection was acting funny today. I was lagging out on my games and didn't know what it was. So, I turned off all my open ports and everything worked fine. I got into digging through my server logs and it turns out my FTP server was being brute forced. Is there any way to report this activity to the person's ISP that was doing it? I remember seeing a way to retrieve the info based on an IP address but I just don't remember how right now.

After I report that, I'd like to know if anyone knows of a good and secure free FTP server that I can tweak based on the following things:
blocking IPs permanently
blocking IPs based on the number of failed attempts

Also, is there any way to secure the rest of my system like this? I have one computer I use to forward ports to (not a DMZ) sitting behind a Linksys WRT54GS. I think its pretty secure but I honestly am second guessing myself after this attack.

Anyways, if anyone can help me out, the offending IPs are:
65.95.107.159
219.136.187.231

I've kept all the log files in case they need to be forwarded to the ISPs.

I'd also like to ask another question while I'm at it. I've tried out nmap to see what ports my server has open as well as a couple others. The ports come up as being "open", "closed" or "filtered". All my ports are just open. Is there any difference between these distinctions? Can I change my ports to some other classification while still allowing people access to them? Is there any way to block nmap scans to my IP or to hide the ports totally?

Thanks for any help! I'm really new to locking things down like this. :p
 
Some genius has been trying to brute force accounts through SSH on my personal server. It's random IPs tried on the root account and random named accounts. Too bad you can't SSH as root :rolleyes:. All of the other accounts the person is trying to brute force don't exist.

I wouldn't worry about it. Brute forcing across the internet is time consuming and practically never works. The only thing I ever look for are undocumented remote exploits. MITM (man in the middle) attacks are also terribly difficult to do. So is line sniffing.
 
I'm gonna tell ya right now, its doubtfull the ISP will do any thing. If your using Linux, might look at fail2ban, it can add IPs of brute force systems into a block list for you.
 
I seem to be a magnet for getting attacked/ attemps, at a peak, 1 per minute, lower times (now) its spaced up to 1-15 minutes.

Banning the ip can duh be gone around with a proxy, but brute forcing still is time consuming, is well known on how to block, and barely works anymore.

Kids these days, wanting to think they are cool trying to h4x0r people.
 
My favorite is to setup iptables to just drop connections. Takes longer(client has to timeout) and has the added benefit of not revealing the presence of the computer.

You could be especially nasty and setup a tarpit:
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT

"Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources. Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds. Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes."

Do this, along with putting SSH/FTP on a non-standard port, and you should never have another problem with brute force attacks. Say you are using port 16000, it will take them 4-10 months to get there, going sequentially.
 
Dew said:
My favorite is to setup iptables to just drop connections. Takes longer(client has to timeout) and has the added benefit of not revealing the presence of the computer.

You could be especially nasty and setup a tarpit:
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT

"Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources. Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds. Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes."

Do this, along with putting SSH/FTP on a non-standard port, and you should never have another problem with brute force attacks. Say you are using port 16000, it will take them 4-10 months to get there, going sequentially.
Click to expand...
This almost makes me want to set up a linux router, or do some hacking on my DD-WRT54g.
 
You must log in or register to reply here.
Back
Top