Brute Force FTP attack

Unanswered Question
Mar 27th, 2007

OK, so I noticed on my server today a host from IP address flooded my server this morning with 4,878 login attempts; in only 1/2 hour!

Are there any good ways to prevent this from my PIX standpoint?

Appliance: PIX 506 5.2(6)

Any help would be much appreciated

BTW: I am brand spanking new to managing PIX appliances...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 03/27/2007 - 15:25

Deny the ip address in your access-list. You probably have something similar to below, just add the deny before the permit. Post your existing access-list applied to your outside interface and we can give you the correct statement. Here is the syntax. If you are asking how to stop this while it is occuring, hopefully someone else can chime in on that.

access-list 100 deny tcp host host eq ftp

access-list 100 permit tcp any host eq ftp

access-group 100 in interface outside

srberg5219 Tue, 03/27/2007 - 15:55

I am posting my config as a whole for reference. I have, of course completely changed my IP addresses for security reasons...

I guess I basically understand the DENY access-list, and as most hackers are on dynamic IPs, I wasn't sure if there was a different way to config my PIX to help deal with these types of attacks...

PIX Version 5.2(6)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname itfw1

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060


access-list out permit ip any any

access-list in permit tcp any host eq smtp

access-list in permit tcp any host eq pop3

access-list in permit tcp any host eq 443

access-list in permit tcp any host eq ftp

access-list in permit tcp any host eq www

pager lines 24

logging on

logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered alerts

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 netmask

global (outside) 1 netmask

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

access-group in in interface outside

access-group out in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80

sundar.palaniappan Tue, 03/27/2007 - 16:47

If you have an IDS then it can detect brute force attacks and shun the traffic from the host. Otherwise, use access list as suggested to block the traffic. If the source address keeps changing then block the whole network if it comes from the same network and take up the matter with the people who own the IP range. You can get the owner and other pertinent details of the IP address from the link below.



srberg5219 Tue, 03/27/2007 - 17:00

I just keep mumbling...I love my job...I love my job...I love my job.

Cisco, can we just get one appliance that works across all layers!!!! LOL

Thanks for the feedback everyone!

srberg5219 Tue, 03/27/2007 - 18:22

OK, insstead of blocking all of Central America, I was able to find the IP netblock: netmask of

(IP addresses of:

Should I construct a DENY access-list rule for each IP or is there a better way to construct my DENY rule for the IP addresses above?

acomiskey Tue, 03/27/2007 - 18:37

do the whole block...

access-list in deny tcp host eq ftp

srberg5219 Tue, 03/27/2007 - 18:51

Many thanks for your patience, acomiskey!

So if I want to deny any protocol or any server access to those IPs, I could write...?:

access-list in deny ip any

Is the operator 'host' only for blocking a single IP then?

acomiskey Tue, 03/27/2007 - 19:35

You got it. The keyword "host" is also the same as the host mask

So these are the same thing...

host or

One other thing, above you said deny access "to" those IPs, when in fact this would block access "from" those IPs, I think that's what you meant but wanted to clarify.

mhellman Thu, 03/29/2007 - 07:59

manually creating ACL's to block this is a hopelessly futile effort. You will get another bruteforce from another source, and then another. If you don't have an IDS/IPS implementation that can stop it, use one of the numerous solutions that are generally available for use directly on the host to stop it. Something like fail2ban:

srberg5219 Thu, 03/29/2007 - 08:18

I agree. Up to this point, I have to temporarily run DENY ACLs since our FTP server is Window$ based.

We are seriously looking at changing over to Linux down the road...

-Many thanks for your input!


This Discussion