There was a list of addresses from oft-infected countries floating around
one of the spam newsgroups. Places where someone is not likely to care if
the user can visit the web site or not, especially with FTP service. (HTTP
maybe not so much.)
In my experience though, many of the addresses come from IP blocks where you
do want the users to be able to visit.
My solution was to get rid of the "Administrator" account completely
(renamed to something goofy), making the "password guess" a much more
mathematically hard problem than a single variable one. (Just the password
is one variable, the user and pass is two variables.)
Based on what I see in my logs, they never get very creative with the
account name so the attack vector is essentially blocked. (You do need to be
careful about revealing what the username is on public web sites though.)
Also, they seem to learn your server isn't going to be easy to crack (maybe
the fact the admin account was renamed is obvious from the response?) and
they don't spend much time pounding on it anymore.
My FTP services are a "only from known" type where the users have to
register their IP address blocks before they are allowed in. (You can do
this in the FTP virtual server under "security" in IIS) Most users don't
hop all over the place and after a while you have their ISP, their
workplace, and AOL in there. (Which still vastly reduces the number of
potential IPs that can cause problems.)
That said, I also use an active firewall notification system that messages
when a brute force attack is going on. Adding blocks is still manual
though.
[quoted text, click to view] "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:uw4w0%23tvHHA.3588@TK2MSFTNGP06.phx.gbl...
> Try -
>
http://msmvps.com/blogs/bernard/archive/2007/01/11/how-to-prevent-iis-ftp-attacks.aspx >
>
> --
> Regards,
> Bernard Cheah
>
http://www.iis.net/ >
http://www.iis-resources.com/ >
http://msmvps.com/blogs/bernard/ >
>
> "lenm123" <lenm123@discussions.microsoft.com> wrote in message
> news:8AA754A1-1260-44E9-8670-C0021822AB42@microsoft.com...
>> My ftp server is been attach with a brute force, basically there are
>> using
>> the "administrator" account to try to hack into my ftp server.
>> Question:
>> How I can create or get a script, which allow me to query the system logs
>> and base on the amount of logon failure I can add the IP address of the
>> perpetrator(s) to the TCP/IP Address access list.
>> At least I would like to know where this list of IP address reside in
>> IIS,
>> in order for me to create the scrip.
>>
>
>
