cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2058
Views
0
Helpful
3
Replies

FTP Brute Force Attack

blackswans
Level 1
Level 1

Hi,

I'm getting lots of login attempt attack but why doesnt ips deny them?

One source ip is trying to login with different username/pass combinations. Which signature should be enabled for this?

Regards.

3 Replies 3

pradnaga
Cisco Employee
Cisco Employee

Hi

We do not have a specific signature for FTP bruteforce.

You can use Sig 6009-0 SYN Flood DOS. This sig is generic to all ports, so you can clone sig 6009-0 and change destination port range to 21.

Please let me know if this helps. We may release a signature for FTP bruteforce in future.

Regards

Pradeep 

Ok I cloned the signature and I will let you know the results.

Thanks.

largenb
Cisco Employee
Cisco Employee

blackswans, you may also be able to use:

Signature 6250-0 - FTP Authorization Failure

"Triggers when a user has failed to authenticate three times in a row, while trying to establish an FTP session.

This may be indicative of a brute force password guessing attempt, and may be viewed as an attempt to gain unauthorized access to system resources."

Depending on the type of brute force traffic (or dictionary) you could also use:

Signature 18920-0 - Administrative FTP User Failed To Authenticate

"This signature will generate an alert of the "root or "administrator" ftp users fail to authenticate four or more times. This could be an indicator of brute force attempts to guess passwords. However, this signature will also alert if a user types the incorrect password four times in succession."

These signatures will also alert if a user (or automated login/tool) types the incorrect password multiple times in succession. So you will have to be aware of the possible issues with benign failed login attempts and tune the signature(s) accordingly.

If you have a Cisco ASA or PIX firewall you can also you the ftp fixup command to assist with the auditing and handling of FTP traffic and anomalous FTP activity.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: