Re: FTP Brute Force Attack

blackswans · ‎04-16-2013

Hi,

I'm getting lots of login attempt attack but why doesnt ips deny them?

One source ip is trying to login with different username/pass combinations. Which signature should be enabled for this?

Regards.

pradnaga · ‎04-16-2013

Hi

We do not have a specific signature for FTP bruteforce.

You can use Sig 6009-0 SYN Flood DOS. This sig is generic to all ports, so you can clone sig 6009-0 and change destination port range to 21.

Please let me know if this helps. We may release a signature for FTP bruteforce in future.

Regards

Pradeep

blackswans · ‎04-16-2013

Ok I cloned the signature and I will let you know the results.

Thanks.

largenb · ‎04-17-2013

blackswans, you may also be able to use:

Signature 6250-0 - FTP Authorization Failure

"Triggers when a user has failed to authenticate three times in a row, while trying to establish an FTP session.

This may be indicative of a brute force password guessing attempt, and may be viewed as an attempt to gain unauthorized access to system resources."

Depending on the type of brute force traffic (or dictionary) you could also use:

Signature 18920-0 - Administrative FTP User Failed To Authenticate

"This signature will generate an alert of the "root or "administrator" ftp users fail to authenticate four or more times. This could be an indicator of brute force attempts to guess passwords. However, this signature will also alert if a user types the incorrect password four times in succession."

These signatures will also alert if a user (or automated login/tool) types the incorrect password multiple times in succession. So you will have to be aware of the possible issues with benign failed login attempts and tune the signature(s) accordingly.

If you have a Cisco ASA or PIX firewall you can also you the ftp fixup command to assist with the auditing and handling of FTP traffic and anomalous FTP activity.