15

I recently setup VSFTPD on my personal server for sharing files over FTP. In the vsftpd.log file, i see hundreds of failed attempts to login with usernames like "adminitrator" , "adminitrator1", "adminitrator2", "adminitrator123" etc.

I am surprised because i just setup my FTP server and i thought no one would know about its existence. I did not communicate it to anyone that my FTP server exists.

I guess with port scanning tools, one would have found FTP port is open. However i wonder how one would have got my IP.

  • I downloaded a torrent file, would that expose my IP address?

  • Is it quite common for the attacker to harvest the ip address from torrent trackers or some other service? Any idea how attacker gets IP address? (like for spamming - spambots are used to harvest the email ID)

  • Any general pointers for a new comer to secure the server (books, videos, totorials, blogs etc)

this.josh
  • 8,843
  • 2
  • 29
  • 51
18bytes
  • 885
  • 1
  • 10
  • 12

3 Answers3

31

You don't need to find out how they got your IP - the entire Internet is constantly being scanned by malicious individuals, bots etc. If you have an FTP server on the Internet, one of these scans will find it and a whole series of attack attempts will commence.

Your downside is - you can't secure an FTP server. FTP just wasn't designed to provide encryption or strong authentication so it has been deprecated.

The recommendation is to replace it with one of the secure alternatives such as SFTP, or only provide access to it via SSH. The good thing is - SFTP is pretty much a drop-in replacement on most Operating Systems.

Update - actually, you are using vsftpd, so you can configure ftps to add authentication and encryption. Check out http://viki.brainsware.org/?en/Explicit_FTPS

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
17

Another thing you can do is add an iptables 'bruteforce' rule. This will allow ip's to make NEW connections x times within y seconds. After these limits have been reached the packets will be dropped. This prevents brute-forces from continuously attacking your server. I have such protection on common scanned ports like FTP, SSH, IMAP, POP3, SMTP, etc....

Example of rules I use: 

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name BRUTEFORCE
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --set --name BRUTEFORCE
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name BRUTEFORCE -j DROP
Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Goez
  • 331
  • 1
  • 4
15

There are lots of programs trawling the internet looking for vulnerable hosts. Certainly there are people who target their attacks - but starting from torrent logs will not yield very interesting targets.

Have a look at the sans.org site for basic checklists on securing your server.

M'vy
  • 13,033
  • 3
  • 47
  • 69
symcbean
  • 18,278
  • 39
  • 73
  • Thanks for the info. I will harden the server instead of trying to figure out how one got my ip. – 18bytes Aug 08 '11 at 08:30