Securing FTP server - up for 3 days and already attempted hack

[Five_Star]

Last week I was asked to setup a FTP server as we are going to start receiving a lot of information from publishers and print companies. I did try and explain the negative points of running an FTP server, especially as I’m no network admin and this is the second part of my job but I was assured by management it would be OK and these people only know how to use good old FTP.

Anyway I got a fresh VM build using server 2008 R2 standard, it is not joined to the domain. I setup IIS 7.5 and created the FTP users locally on VM using random user names and 12 character passwords with upper and lower chars, numbers and selected special characters.

I managed to get the ASA 5505 we have to accept passive connections using the FTP inspection maps as I was going to run the FTP in active mode at first but some of the publishers didn’t seem to understand how to connected in active mode.

I’ve come in today and checked over the FTP server (mainly to see if anyone is using it) and found this in the logs

2010-03-20 14:23:14 201.30.62.210 - xx.xx.xx.xx 21 USER access 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:15 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:17 201.30.62.210 - xx.xx.xx.xx 21 USER account 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:17 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:23 201.30.62.210 - xx.xx.xx.xx 21 USER accounts 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:24 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:24 201.30.62.210 - xx.xx.xx.xx 21 USER adam 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:24 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:28 201.30.62.210 - xx.xx.xx.xx 21 USER adm 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:28 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:34 201.30.62.210 - xx.xx.xx.xx 21 USER admin 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:35 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:39 201.30.62.210 - xx.xx.xx.xx 21 USER admin2 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:40 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:40 201.30.62.210 - xx.xx.xx.xx 21 USER admin2 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:41 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:48 201.30.62.210 - xx.xx.xx.xx 21 USER adrian 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:48 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:49 201.30.62.210 - xx.xx.xx.xx 21 USER adrian 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:49 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:50 201.30.62.210 - xx.xx.xx.xx 21 USER aerial 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:50 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:54 201.30.62.210 - xx.xx.xx.xx 21 USER agent 331 0 0 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -
2010-03-20 14:23:54 201.30.62.210 - xx.xx.xx.xx 21 PASS *** 530 1326 41 50dc99c1-32bb-4370-ab1b-dd71efd0e782 -

And then this

2010-03-20 19:43:09 147.175.133.11 - xx.xx.xx.xx 21 USER Administrator 331 0 0 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 PASS *** 530 1326 41 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 USER Administrator 331 0 0 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 PASS *** 530 1326 41 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 USER Administrator 331 0 0 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 PASS *** 530 1326 41 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 USER Administrator 331 0 0 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 PASS *** 530 1326 41 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 USER Administrator 331 0 0 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 PASS *** 530 1326 41 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 USER Administrator 331 0 0 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 PASS *** 530 1326 41 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 USER Administrator 331 0 0 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 PASS *** 530 1326 41 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 USER Administrator 331 0 0 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:10 147.175.133.11 - xx.xx.xx.xx 21 PASS *** 530 1326 41 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:11 147.175.133.11 - xx.xx.xx.xx 21 USER Administrator 331 0 0 87538c0c-081d-4091-a1ff-4eacab96c80f -
2010-03-20 19:43:11 147.175.133.11 - xx.xx.xx.xx 21 PASS *** 530 1326 41 87538c0c-081d-4091-a1ff-4eacab96c80f -

What other steps can I use to protected this FTP server, its only been up for 3 days and attacked twice! I’m not sure how long it will last before somebody with more experience in this matter finds a hole and the machine is compromised.

 

[Five_Star]

Thanks for the quick replies, there is even another probe happening right now.

There is no anonymous access enabled, only the users in the local FTPuser group are allowed to login. The server is set to accept both SSL and non-SSL connections but not everyone connects with SSL on (some of the publishers don't have a clue)

Should I be looking at a separate FTP server for Windows that offers some nicer features? IIS FTP doesn't allow you to limit login re-trys on failure which would at least slow these guys down.

How much mileage is there in getting a list of IP ranges from these publishers and only accepting connections from those, is this a good solution?

 

[Five_Star]

Unfortunately it is for corporate users. Most of the publishers have static IPs but nearly half are really small independents, some even working from home with no real IT infrastructure. I would really like to use an IP whitelist but for the dynamic IP publishers I can’t.

It seems that they have been using FTP since the dawn of time and are happy with it, but again only some of them can manage to connect on FTP over SSL and its been made clear by management that we are to pander to the publishers needs as we really need their content and I should make it as easy as possible for them.

We do have a VPN for remote access on weekends and the guys at the US office to remote in on, I’m not so sure about extending that to allow publishers to connect in on it as well, we’d have to send them all out a security woggle too and I’m sure that would be far too difficult for them to use.

I hope that FTP is a short term problem for us, I’m managing it daily checking the logs etc and will be changing the publishers passwords monthly. I’m currently working on our own internal application that allows the publishers to send files to our cloud storage for processing, once thats out we can stop running FTP.

It’s been really good to get some opinion on what security to put in place, for now I think we’ll have to run with a locked down FTP box, random usernames, 12 character passwords on monthly change and daily access log checks.