Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - FTP-Brute Force Attacks and Password Management InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

FTP-Brute Force Attacks and Password Management

Published: 2006-07-17
Last Updated: 2006-07-18 13:15:52 UTC
by Scott Fendley (Version: 1)
0 comment(s)

In the past week I have seen what had appeared to be an uptick in FTP based brute force attacks on a few of the machines in my area.  According to the Dhsield Data, there has been a little increase in sources for a few days, but perhaps nothing out of the ordinary.  That was until last night when Ryan from the Phillipine Honeynet Project pointed out the same thing from their point of view. [Thanks for confirming this before I even asked :-)  ]

They issued an advisory located at which details a bit more of what they are seeing.   I am going to include a snipit of their advisory which includes some tips and reminders for administrators about password management.

"In light of this, here are some tips / guide for administrators:
  • force passwords to expire on a regular basis, be it monthly, quaterly, or on some other schedule - and force users to change their old passwords.
  • users should be forced to use their new password for a period of time before being allowed to change it again.
  • users should not be allowed to re-use an old password and the system should be able to keep or record previously used passwords for a given user.
  • a minimum password length should be enforce and also force the users to contain their selected password with some minimum number of upper-case characters, numbers, and non-alphanumeric characters.
  • passwords should be compared or checked against a "dictionary" of easily guessable passwords or strings that are commonly hit by the standard password "cracking" tools.
  • set a given account to be disabled after a certain number of failed logins except for administrative accounts.
  • user names should also be considered. deny "default" user names either with super (administrator, root, or those with restricted privileges (nobody,
  • FTP server shouldn't verify the existence or non-existence of the user names entered as to hinder this guessing attack
  • check your network for FTP services that you're not aware about, especially those hardware with embedded OS.
This special advisory is just to remind administrators that sometimes, it is the small things that tend to make big holes. In this case, it is always a good idea to implement stricter measures in password usage particularly in setting up temporary passwords for new accounts."

Scott Fendley
ISC Handler
0 comment(s)
Diary Archives