Keeping twits from steeling processing time - Inetserver

I hear you on this one. One of my clients has an FTP server running on IIS6.
They don't allow anonymous connections, so they'll have someone trying to
connect, sometimes several hundred times in a 2 minute span. They'll use
every possible variation of "Administrator" to gain access.

Best thing you can do is look at the MSFTPSVC logs to find the IP address of
the attacker. Then use your firewall to block that IP.

If someone were to write an app that looks at the MSFTPSVC logs and sees the
pattern of logon attempts and sends an alert to a server admin or, better
yet, automaticall sets the rule in a firewall to block the IP, I'd buy it in
a heartbeat.

Rob M.

----------------------------------------------
Rob Madison, MCP MCSA
Action I.T. Consulting


"Axel Dahmen" wrote:

> Hi,
>
> some sick person is bugging my FTP server on IIS5 with loads of
> (unsuccessful) connection attempts (approx. 200,000 the last two months). Is
> there any way of stopping this nerd from steeling my processing time?
>
> TIA,
> Axel Dahmen
>
>
>

Yeah, right... Unfortunately from what I can read in the log the IP address
changes every day, so I believe that person is either using Dial-Up or there
are several twits trying to do the same thing.

Isn't there a way to tell MSFTPSVC to block unsuccessful login attempts from
the same IP after, say, 3 unsuccessful attempts within 1 min. for 120 secs.
or so?

TIA,
Axel Dahmen



---------------------------------------
"Rob Madison .actionitc.com>" <robmadison@<EATMESPAMMERS> schrieb im
Newsbeitrag news:33F651CB-3FBE-4218-AE1E-0E102F978B7C@microsoft.com...
> I hear you on this one. One of my clients has an FTP server running on
IIS6.
> They don't allow anonymous connections, so they'll have someone trying to
> connect, sometimes several hundred times in a 2 minute span. They'll use
> every possible variation of "Administrator" to gain access.
>
> Best thing you can do is look at the MSFTPSVC logs to find the IP address
of
> the attacker. Then use your firewall to block that IP.
>
> If someone were to write an app that looks at the MSFTPSVC logs and sees
the
> pattern of logon attempts and sends an alert to a server admin or, better
> yet, automaticall sets the rule in a firewall to block the IP, I'd buy it
in
> a heartbeat.
>
> Rob M.
>
> ----------------------------------------------
> Rob Madison, MCP MCSA
> Action I.T. Consulting
>
>
> "Axel Dahmen" wrote:
>
> > Hi,
> >
> > some sick person is bugging my FTP server on IIS5 with loads of
> > (unsuccessful) connection attempts (approx. 200,000 the last two
months). Is
> > there any way of stopping this nerd from steeling my processing time?
> >
> > TIA,
> > Axel Dahmen
> >
> >
> >

Hi Axel,

No, there is no built-in mechanism in IIS FTP will block IP after repeated
login failures. Some advanced monitoring service may have this ability like
MOM.

However if the attacker is always from a certain IP range. In the FTP
site's directory security tab, you should be able to block it on Class C
level (use group of computers).

If still no help, I think you should contact your ISP or try to get
assistance from law approach.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no rights.