recommend an intrusion detection system

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

i've just gotten a mobile plan that includes 4mb a month bandwidth which is
about 200 emails. anything over that i pay for. i also run a windows 2003
server that is the frequent subject of FTP dictionary attacks. whenever
somebody tries to FTP using something like 'administrator' or 'guest', an
event log is added with the failed login attempt. any security logs added
generate a new email sent to my account. as any of you know who've been
subject to these kinds of attacks, they can last hours and generate tons of
event logs (and, in my case, hundereds of emails).

normally, if i'm around when the attack starts, i'll add the attacker's IP
to my blocked addresses in the IIS FTP server. what i'd like to have for
those times i'm not around is an application that can to the same thing. i
should be able to set a trigger that says something like 'if somebody tries
to FTP in and fails 3 times within 1 minute, add them to the list of blocked

anybody know of an app like this?


Re: recommend an intrusion detection system

Dica wrote:
Quoted text here. Click to load it

If you're running linux you can use iptables and the ipt_recent module
to automatically reject connections like this.  There are several
examples on the web; one for SSH (which you should be able to easily
modify for FTP) is at

I use something similar to:

# Kill ftp hackers - watch for more than 3 connection attempts in under
# 60 seconds and reject for 5 minutes
iptables -N FTP-EVIL
iptables -A FTP-EVIL -m recent --name badFTP --set -j LOG --log-level
DEBUG --log-prefix "evil FTP user: "
iptables -A FTP-EVIL -j REJECT

iptables -N FTP
iptables -A FTP -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
iptables -A FTP -p tcp --syn -m recent --name badFTP --rcheck --seconds
300 -j REJECT
iptables -A FTP -p tcp --syn -m recent --name ftpconn --rcheck --seconds
60 --hitcount 3 -j FTP-EVIL
iptables -A FTP -p tcp --syn -m recent --name ftpconn --set
iptables -A FTP -p tcp --syn -j ACCEPT

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline