https://community.cisco.com/t5/network-security/ftp-brute-force-attack/m-p/2144344#M53845 <P>Hi,</P><P></P><P>I'm getting lots of login attempt attack but why doesnt ips deny them?</P><P>One source ip is trying to login with different username/pass combinations. Which signature should be enabled for this?</P><P></P><P>Regards.</P> Sun, 10 Mar 2019 12:56:41 GMT blackswans 2019-03-10T12:56:41Z https://community.cisco.com/t5/network-security/ftp-brute-force-attack/m-p/2144344#M53845 <P>Hi,</P><P></P><P>I'm getting lots of login attempt attack but why doesnt ips deny them?</P><P>One source ip is trying to login with different username/pass combinations. Which signature should be enabled for this?</P><P></P><P>Regards.</P> Sun, 10 Mar 2019 12:56:41 GMT https://community.cisco.com/t5/network-security/ftp-brute-force-attack/m-p/2144344#M53845 blackswans 2019-03-10T12:56:41Z https://community.cisco.com/t5/network-security/ftp-brute-force-attack/m-p/2144345#M53847 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>We do not have a specific signature for FTP bruteforce. </P><P></P><P>You can use Sig 6009-0 SYN Flood DOS. This sig is generic to all ports, so you can clone sig 6009-0 and change destination port range to 21.</P><P></P><P>Please let me know if this helps. We may release a signature for FTP bruteforce in future.</P><P></P><P>Regards</P><P>Pradeep&nbsp; </P></BODY></HTML> Tue, 16 Apr 2013 19:37:31 GMT https://community.cisco.com/t5/network-security/ftp-brute-force-attack/m-p/2144345#M53847 pradnaga 2013-04-16T19:37:31Z https://community.cisco.com/t5/network-security/ftp-brute-force-attack/m-p/2144346#M53848 <HTML><HEAD></HEAD><BODY><P>Ok I cloned the signature and I will let you know the results.</P><P></P><P>Thanks.</P></BODY></HTML> Wed, 17 Apr 2013 05:58:40 GMT https://community.cisco.com/t5/network-security/ftp-brute-force-attack/m-p/2144346#M53848 blackswans 2013-04-17T05:58:40Z https://community.cisco.com/t5/network-security/ftp-brute-force-attack/m-p/2144347#M53850 <HTML><HEAD></HEAD><BODY><P>blackswans, you may also be able to use: </P><P></P><P>Signature 6250-0 - FTP Authorization Failure</P><P>"Triggers when a user has failed to authenticate three times in a row, while trying to establish an FTP session.</P><P>This may be indicative of a brute force password guessing attempt, and may be viewed as an attempt to gain unauthorized access to system resources."</P><P></P><P>Depending on the type of brute force traffic (or dictionary) you could also use: </P><P>Signature 18920-0 - Administrative FTP User Failed To Authenticate</P><P>"This signature will generate an alert of the "root or "administrator" ftp users fail to authenticate four or more times. This could be an indicator of brute force attempts to guess passwords. However, this signature will also alert if a user types the incorrect password four times in succession."</P><P></P><P>These signatures will also alert if a user (or automated login/tool) types the incorrect password multiple times in succession. So you will have to be aware of the possible issues with benign failed login attempts and tune the signature(s) accordingly. </P><P></P><P>If you have a Cisco ASA or PIX firewall you can also you the ftp fixup command to assist with the auditing and handling of FTP traffic and anomalous FTP activity. </P></BODY></HTML> Wed, 17 Apr 2013 16:12:11 GMT https://community.cisco.com/t5/network-security/ftp-brute-force-attack/m-p/2144347#M53850 largenb 2013-04-17T16:12:11Z