Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Brute Force FTP attack

OK, so I noticed on my server today a host from IP address flooded my server this morning with 4,878 login attempts; in only 1/2 hour!

Are there any good ways to prevent this from my PIX standpoint?

Appliance: PIX 506 5.2(6)

Any help would be much appreciated

BTW: I am brand spanking new to managing PIX appliances...


Re: Brute Force FTP attack

Deny the ip address in your access-list. You probably have something similar to below, just add the deny before the permit. Post your existing access-list applied to your outside interface and we can give you the correct statement. Here is the syntax. If you are asking how to stop this while it is occuring, hopefully someone else can chime in on that.

access-list 100 deny tcp host host eq ftp

access-list 100 permit tcp any host eq ftp

access-group 100 in interface outside

New Member

Re: Brute Force FTP attack

I am posting my config as a whole for reference. I have, of course completely changed my IP addresses for security reasons...

I guess I basically understand the DENY access-list, and as most hackers are on dynamic IPs, I wasn't sure if there was a different way to config my PIX to help deal with these types of attacks...

PIX Version 5.2(6)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname itfw1

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060


access-list out permit ip any any

access-list in permit tcp any host eq smtp

access-list in permit tcp any host eq pop3

access-list in permit tcp any host eq 443

access-list in permit tcp any host eq ftp

access-list in permit tcp any host eq www

pager lines 24

logging on

logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered alerts

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 netmask

global (outside) 1 netmask

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

access-group in in interface outside

access-group out in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80

Re: Brute Force FTP attack

If you have an IDS then it can detect brute force attacks and shun the traffic from the host. Otherwise, use access list as suggested to block the traffic. If the source address keeps changing then block the whole network if it comes from the same network and take up the matter with the people who own the IP range. You can get the owner and other pertinent details of the IP address from the link below.



New Member

Re: Brute Force FTP attack

I just keep mumbling...I love my job...I love my job...I love my job.

Cisco, can we just get one appliance that works across all layers!!!! LOL

Thanks for the feedback everyone!

New Member

Re: Brute Force FTP attack

OK, insstead of blocking all of Central America, I was able to find the IP netblock: netmask of

(IP addresses of:

Should I construct a DENY access-list rule for each IP or is there a better way to construct my DENY rule for the IP addresses above?


Re: Brute Force FTP attack

do the whole block...

access-list in deny tcp host eq ftp

New Member

Re: Brute Force FTP attack

Many thanks for your patience, acomiskey!

So if I want to deny any protocol or any server access to those IPs, I could write...?:

access-list in deny ip any

Is the operator 'host' only for blocking a single IP then?


Re: Brute Force FTP attack

You got it. The keyword "host" is also the same as the host mask

So these are the same thing...

host or

One other thing, above you said deny access "to" those IPs, when in fact this would block access "from" those IPs, I think that's what you meant but wanted to clarify.

New Member

Re: Brute Force FTP attack

Things are becoming much clearer...

Many Thanks!


Re: Brute Force FTP attack

manually creating ACL's to block this is a hopelessly futile effort. You will get another bruteforce from another source, and then another. If you don't have an IDS/IPS implementation that can stop it, use one of the numerous solutions that are generally available for use directly on the host to stop it. Something like fail2ban:

New Member

Re: Brute Force FTP attack

I agree. Up to this point, I have to temporarily run DENY ACLs since our FTP server is Window$ based.

We are seriously looking at changing over to Linux down the road...

-Many thanks for your input!

New Member

Re: Brute Force FTP attack

AN easier way to do thos is to shun the IP address.

That way no access list processing, and, the IP address is stopped dead at the interface.

The command is

shun "ip address"

The upside, easy and it works

Down side

If you re-boot, you need to re-enter the command, it does not write to the config.

CreatePlease to create content