cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1767
Views
0
Helpful
12
Replies

Brute Force FTP attack

srberg5219
Level 1
Level 1

OK, so I noticed on my server today a host from IP address 200.69.119.228 flooded my server this morning with 4,878 login attempts; in only 1/2 hour!

Are there any good ways to prevent this from my PIX standpoint?

Appliance: PIX 506 5.2(6)

Any help would be much appreciated

BTW: I am brand spanking new to managing PIX appliances...

12 Replies 12

acomiskey
Level 10
Level 10

Deny the ip address in your access-list. You probably have something similar to below, just add the deny before the permit. Post your existing access-list applied to your outside interface and we can give you the correct statement. Here is the syntax. If you are asking how to stop this while it is occuring, hopefully someone else can chime in on that.

access-list 100 deny tcp host 200.69.119.228 host eq ftp

access-list 100 permit tcp any host eq ftp

access-group 100 in interface outside

I am posting my config as a whole for reference. I have, of course completely changed my IP addresses for security reasons...

I guess I basically understand the DENY access-list, and as most hackers are on dynamic IPs, I wasn't sure if there was a different way to config my PIX to help deal with these types of attacks...

PIX Version 5.2(6)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname itfw1

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

access-list out permit ip any any

access-list in permit tcp any host 192.168.250.25 eq smtp

access-list in permit tcp any host 192.168.250.25 eq pop3

access-list in permit tcp any host 192.168.250.25 eq 443

access-list in permit tcp any host 192.168.250.80 eq ftp

access-list in permit tcp any host 192.168.250.80 eq www

pager lines 24

logging on

logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered alerts

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 192.168.250.2 255.255.255.0

ip address inside 192.168.5.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 192.168.250.4-192.168.250.19 netmask 255.255.255.0

global (outside) 1 192.168.250.3 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.250.25 192.168.5.50 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.250.80 192.168.5.20 netmask 255.255.255.255 0 0

access-group in in interface outside

access-group out in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.250.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet 192.168.5.100 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

If you have an IDS then it can detect brute force attacks and shun the traffic from the host. Otherwise, use access list as suggested to block the traffic. If the source address keeps changing then block the whole network if it comes from the same network and take up the matter with the people who own the IP range. You can get the owner and other pertinent details of the IP address from the link below.

http://ws.arin.net/whois

HTH

Sundar

I just keep mumbling...I love my job...I love my job...I love my job.

Cisco, can we just get one appliance that works across all layers!!!! LOL

Thanks for the feedback everyone!

OK, insstead of blocking all of Central America, I was able to find the IP netblock:

200.69.119.224/29 netmask of 255.255.255.248

(IP addresses of: 200.69.119.224-200.69.119.231)

Should I construct a DENY access-list rule for each IP or is there a better way to construct my DENY rule for the IP addresses above?

do the whole block...

access-list in deny tcp 200.69.119.224 255.255.255.248 host 192.168.250.80 eq ftp

Many thanks for your patience, acomiskey!

So if I want to deny any protocol or any server access to those IPs, I could write...?:

access-list in deny ip 200.69.119.224 255.255.255.248 any

Is the operator 'host' only for blocking a single IP then?

You got it. The keyword "host" is also the same as the host mask 255.255.255.255

So these are the same thing...

host 200.69.119.225 or 200.69.119.225 255.255.255.255

One other thing, above you said deny access "to" those IPs, when in fact this would block access "from" those IPs, I think that's what you meant but wanted to clarify.

Things are becoming much clearer...

Many Thanks!

manually creating ACL's to block this is a hopelessly futile effort. You will get another bruteforce from another source, and then another. If you don't have an IDS/IPS implementation that can stop it, use one of the numerous solutions that are generally available for use directly on the host to stop it. Something like fail2ban:

http://www.fail2ban.org/wiki/index.php/Main_Page

I agree. Up to this point, I have to temporarily run DENY ACLs since our FTP server is Window$ based.

We are seriously looking at changing over to Linux down the road...

-Many thanks for your input!

AN easier way to do thos is to shun the IP address.

That way no access list processing, and, the IP address is stopped dead at the interface.

The command is

shun "ip address"

The upside, easy and it works

Down side

If you re-boot, you need to re-enter the command, it does not write to the config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: