Help, attempted logins

Anything you want!
Locked
josh1
Posts: 1
Joined: Tue May 30, 2006 7:02 am
Location: Bournemouth, UK
Contact:

Help, attempted logins

Post by josh1 » Tue May 30, 2006 7:08 am

Hi everyone

I keep getting people try to login even though I am the only one who uses the FTP server at the moment. I have pasted part of the log below:

Tue May 30 11:54:04 2006 12 USER Administrator
Tue May 30 11:54:04 2006 12 PASS ***********
Tue May 30 11:54:09 2006 12 USER Administrator
Tue May 30 11:54:10 2006 12 PASS ***********
Tue May 30 11:54:14 2006 12 USER Administrator
Tue May 30 11:54:15 2006 12 PASS ***********
Tue May 30 11:54:20 2006 12 USER Administrator
Tue May 30 11:54:31 2006 12 PASS ***********
Tue May 30 11:54:37 2006 12 USER Administrator
Tue May 30 11:54:38 2006 12 PASS ***********
Tue May 30 11:54:42 2006 12 USER Administrator
Tue May 30 11:54:43 2006 12 PASS ***********
Tue May 30 11:54:48 2006 12 USER Administrator
Tue May 30 11:54:49 2006 12 PASS ***********
Tue May 30 11:54:58 2006 12 USER Administrator
Tue May 30 11:54:59 2006 12 PASS ***********
Tue May 30 11:55:04 2006 12 USER Administrator
Tue May 30 11:55:05 2006 12 PASS ***********
Tue May 30 11:55:09 2006 12 USER Administrator
Tue May 30 11:55:10 2006 12 PASS ***********
Tue May 30 11:55:15 2006 12 USER Administrator
Tue May 30 11:55:16 2006 12 PASS ***********
Tue May 30 11:55:23 2006 12 USER tsinternetuser
Tue May 30 11:55:26 2006 12 PASS ***********
Tue May 30 11:55:26 2006 12 Logon failure: The user name did not belong to a valid NT user
Tue May 30 11:55:31 2006 12 USER tsinternetuser
Tue May 30 11:55:32 2006 12 PASS ***********
Tue May 30 11:55:32 2006 12 Logon failure: The user name did not belong to a valid NT user
Tue May 30 11:55:37 2006 12 USER tsinternetuser
Tue May 30 11:55:38 2006 12 PASS ***********
Tue May 30 11:55:38 2006 12 Logon failure: The user name did not belong to a valid NT user
Tue May 30 11:55:43 2006 12 USER tsinternetuser
Tue May 30 11:55:44 2006 12 PASS ***********
Tue May 30 11:55:44 2006 12 Logon failure: The user name did not belong to a valid NT user
Tue May 30 11:55:48 2006 12 USER tsinternetuser
Tue May 30 11:55:49 2006 12 PASS ***********
Tue May 30 11:55:49 2006 12 Logon failure: The user name did not belong to a valid NT user
Tue May 30 11:55:54 2006 12 USER tsinternetuser
Tue May 30 11:55:55 2006 12 PASS ***********
Tue May 30 11:55:55 2006 12 Logon failure: The user name did not belong to a valid NT user
Tue May 30 11:55:59 2006 12 USER tsinternetuser
Tue May 30 11:56:00 2006 12 PASS ***********
Tue May 30 11:56:00 2006 12 Logon failure: The user name did not belong to a valid NT user
Tue May 30 11:56:06 2006 12 USER tsinternetuser
Tue May 30 11:56:07 2006 12 PASS ***********
Tue May 30 11:56:07 2006 12 Logon failure: The user name did not belong to a valid NT user
Tue May 30 11:56:12 2006 12 USER tsinternetuser
Tue May 30 11:56:13 2006 12 PASS ***********
Tue May 30 11:56:13 2006 12 Logon failure: The user name did not belong to a valid NT user

When I relised this was happenning I blocked the IP and set up auto blocking but I am worried incase someone does manage to get in.

Any suggestions??
Josh

mdj
Moderator
Posts: 656
Joined: Mon Aug 18, 2003 4:00 am
Location: Denmark
Contact:

Post by mdj » Wed May 31, 2006 6:17 pm

Don't worry too much about it. I experienced a far worse attack a few years ago, thousands of user names where tested over a period of almost 2 hours, but nothing bad happened. A few guidelines though:

- Make sure you autoblock ip addresses after a small number of failed attempts.
- Do not have an "administrator" account, it is too obvious.
- Make sure you have strong passwords.
- If you need an anonymous account, and you probably do, make sure the anonymous user ONLY has download rights, NOTHING ELSE.

There are probably more good guidelines I cannot think of right now.
Morten Due Jørgensen
http://www.mdjnet.dk

mdj
Moderator
Posts: 656
Joined: Mon Aug 18, 2003 4:00 am
Location: Denmark
Contact:

Post by mdj » Wed Jul 19, 2006 2:52 am

A bit of news on this topic. It appears a lot of this is going on these days:
http://isc.sans.org/diary.php?storyid=1491
The article mentions some good ideas for password policies. Some of them can be observed by the site owner, some are already supported by Cerberus, and some will need to be considered for implementation in Cerberus. Serin, take a look at it, and see if you can make room for some of it some time.

At the moment, I am myself seeing these attacks about once a day. However, I have no Administrator account, so they are shooting at nothing, since this is always the account name used, and I have the auto blocking feature enabled, so I am still not really worried - except perhaps for the block list to run full... :-)
Morten Due Jørgensen
http://www.mdjnet.dk

Locked