Tuesday, August 15, 2006

Linux, FTP & hackers

I normally have a FTP server running on my Linux box so that family members can upload or download files instead of clogging our email. It has a very basic setup, an anonymous ID that will allow basic upload or download and that is all that ID can do. I have a 'power' ID that can move files, delete files, create or delete directories. The first thing I did was make sure that there was no default IDs or passwords for the server. The server is PROFTPD and I use GPROFTPD as the front end.

Now and then I get a person who thinks they can crack the system and they fail, every time. Last night was different in that I had two separate simultaneous attacks. The short attack lasted for almost 290 password combinations over two different IDs. The main one was much more determined in that he/she used over 1,100 passwords over two different IDs. The beauty of it was that every attack was logged and earlier this evening two emails went out the attackers ISPs. The ISP of the main attack politely asked me for a copy of the log and I was more than happy to send them a copy of the security log.

I am very certain that the hackers didn't get anything as I don't have any default IDs on this system. I also enforce password changes every 90 days and yes that is overkill for a personal system, but, it is a good habit to get into. The last thing is that ROOT never accesses the FTP server and the 'power' ID does not have root priviliges, just enough to maintain the FTP directories.

If you do decide to run a FTP server (Windows or Linux) here are a few things to keep in mind:
  1. Have and use a firewall.
  2. Have and use a virus scanner (Windows only, not really necessary for Linux).
  3. Kill all default IDs and passwords.
  4. Enforce regular password changes. Minimum for me is 6 characters with 1 character that is not A-Z.
  5. Turn on the FTP security and log everything.
  6. The ID that services the FTP area does not have root capabilities.
  7. Grant only the bare minimum of authority to any ID.
  8. Backup your data on a regular basis.
  9. Apply all patches ASAP.
  10. Review your FTP and firewall logs regularly.
  11. Log and trace all intrusion attempts. You can trace back the attacker to their ISP by using WHOIS and then send a short note to the admin or abuse email ID.

No comments: