Maximum Logon Attempts

[Guest]

I have installed IIS on Windows 2000 Server and configured an FTP site,
which is
needed for a remote consulting company to upload data.

Since opening up FTP on the firewall, I've had repeated login attempts by
unauthorized user(s) who appear to be using some kind of utility to cycle
through passwords. The event viewer is full of "The server was unable to
logon the Windows NT account 'administrator' due to the following error:
Logon failure: unknown user name or bad password" errors.

My question is, does anyone know if there is a way to configure IIS so
that an FTP connection is closed after a set number of failed logon attempts?
It seems crazy to allow the hacker to just keep plugging away. Unfortunately,
the source address keeps changing, so blocking the address at the firewall is
no good. Additionally, the source address for the legitimate company is also
dynamic, so the preferred solution of locking everyone out except for the one
company is also not feasible.

 

[Dave Patrick]

Try asking them here. x-posted toublic.inetserver.iis.ftp


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| I have installed IIS on Windows 2000 Server and configured an FTP site,
| which is
| needed for a remote consulting company to upload data.
|
| Since opening up FTP on the firewall, I've had repeated login attempts by
| unauthorized user(s) who appear to be using some kind of utility to cycle
| through passwords. The event viewer is full of "The server was unable to
| logon the Windows NT account 'administrator' due to the following error:
| Logon failure: unknown user name or bad password" errors.
|
| My question is, does anyone know if there is a way to configure IIS so
| that an FTP connection is closed after a set number of failed logon
attempts?
| It seems crazy to allow the hacker to just keep plugging away.
Unfortunately,
| the source address keeps changing, so blocking the address at the firewall
is
| no good. Additionally, the source address for the legitimate company is
also
| dynamic, so the preferred solution of locking everyone out except for the
one
| company is also not feasible.

 

[Bernard Cheah [MVP]]

This is beyond ftp control. and many shared your problems.
Banning the IP at ftp level is not a good solution, assuming you have a
smart script that parse the log file realtime, to check for 530 error from
the same ip address within a short period of time. why? even this does
prevent authentication, yet IIS will need to response to the request and
reply "connection refused, ip unknown", etc. If request numbers are huge,
IIS will suffer. Hence the best way to deal with this is to have a smart IDS
or router or firewall that detect such behavior and ban it at that level.

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/

 

[Robin Walker [MVP]]

This is why you have passwords, to prevent unauthorised access. Let the
passwords do their job. Make sure you choose only strong passwords, so that
they cannot be guessed or brute-forced within the lifetime of your server.

These are kiddies looking for FTP sites to use for illicit purposes.

You have answered your own question. The source address keeps changing, so
these are not the same FTP connection. So closing the FTP connection after
a failed password attempt would not help you that much.

Besides, closing an FTP connection achieves little: it takes only
milliseconds to set up a new one.