Re: 100's of logon errors for MSFTPSVC, event id: 100
- From: Sumegh <Sumegh@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Apr 2007 21:16:01 -0700
Another good security measure (in my opinion) if you need to host an FTP site
on your SBS is to create a user and only give that and only that user access
to the FTP site. Ofcourse you want to set a very secure password for that
one user and use that username for all FTP transactions in the company. I
believe there is a good article on thia at www.smallbizserver.net
"Mike Webb" wrote:
Thanks for the comment!.
"Mal Osborne" <mal@xxxxxxxxxxxxx> wrote in message
news:E3836946-1653-460E-BA9D-312F483CFC27@xxxxxxxxxxxxxxxx
That is an easy one!
You have FTP exposed to the outside world, hackers have seen it listening
on port 21, and are trying a variety of common passwords to see if they
can fluke it. If the credentials "Administrator" & "password" could
allow FTP access, they would almost certainly have managed by now. If
your admin password is a strong one, they probably will not. If you have
a user who uses a weak password, hackers may manage to guess it.
If your server is full of child porn, phishing sites, stolen credit card
numbers & pirate software, then they have guessed right!
Hackers can also derive a username from an email address, ie, if they have
the name fred@xxxxxxxxxxxxxxx, they can try authenticating against FTP or
SMTP (to relay). They use the username "fred", and DNS lookup
"somecompany.com" Of course if all of your users have strong passwords the
will fail.
All ot this hacking activity is done via automated scripts, usually from a
machine that hackers have already compromised. Its easy for a script to
scan thousands of IP addresses for an FTP server, and try thousands of
passwords.
Any site that has FTP enabled *WILL* be hit with password guesses, strong
passwords will trump the attacks.
Only real defense if to ensure strong passwords are in use. Getting rid
of FTP if it's not needed is reasonable idea as well, but strong password
are really essential. Its easier to have strong passwords than try to
figure out & block everywhere that hackers may try to authenticate.
Mal Osborne
MCSE Mensa
"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23CDtAuohHHA.5048@xxxxxxxxxxxxxxxxxxxxxxx
Running SBS 2003 Premium, ISA 2004, SQL, WSUS, 2 NIC's and a router,
Symantec Backup Exec 11d, dynamic IP, DDNS service through dyndns.org.
============================
Checking the weekly Server Report I saw this. Checked the System Log and
saw this over and over again. Seems to be running every 2 seconds and
goes back to at least 11 April (end of my log). What do I check? Am I
being hacked?
--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization
- Follow-Ups:
- Re: 100's of logon errors for MSFTPSVC, event id: 100
- From: Mike Webb
- Re: 100's of logon errors for MSFTPSVC, event id: 100
- References:
- 100's of logon errors for MSFTPSVC, event id: 100
- From: Mike Webb
- Re: 100's of logon errors for MSFTPSVC, event id: 100
- From: Mal Osborne
- Re: 100's of logon errors for MSFTPSVC, event id: 100
- From: Mike Webb
- 100's of logon errors for MSFTPSVC, event id: 100
- Prev by Date: Re: Windows SBS 2003 Host Record Question (RWW)
- Next by Date: Re: DNS Name
- Previous by thread: Re: 100's of logon errors for MSFTPSVC, event id: 100
- Next by thread: Re: 100's of logon errors for MSFTPSVC, event id: 100
- Index(es):
Relevant Pages
|
