Friday, September 29, 2006

I love hackers... NOT!

One of the things I run on my Linux box is a FTP server so that friends and family can drop off and pick up photos or movies. This relieves the mail servers of the multi-meg file downloads as part of my family still has only dial up, but, they have large digital photos and movies that they want to share.

The only problem is that there were a number of hackers who probed my system and found that my system was available. Not a problem in that I don't have default IDs or passwords, but, I did leave an anonymous account available to make it easier for family to get on. The hackers did use that to try to put up warez, but, didn't have the access authority to do much else . It was a real pain as I needed to clear out the upload area every several days from their 1 meg test files and clear out my security log for the password attempts. A few sites did respond back to me when I sent a copy of my log and hopefully they will cancel their accounts, the rest didn't send me a reply.

I did make a few changes on the FTP server.
  1. FXP is now off (default is on). FXP stands for File eXchange Protocol and it lets you copy files from one FTP-server to another using a FXP-client. Normally you transfer files using the FTP protocol between your machine and a FTP-server, and the maximum transfer speed depends on the speed of your Internet connection (e.g. 56k, cable or T1). When transferring files between two remote hosts using a FXP client, the maximum transfer speed does not depend on your connection but only on the connection between the two host, which is usually much faster than your own connection. Because it is a direct connection you will not be able to see the progress or the transfer speed of the files. I guess the hackers took advantage of this.
  2. There is a prompt for userid and password now.
  3. I deleted the ability to download from the upload area. They can put files up, but, no one can download from that area until I vet the files and move them to the download area.
  4. I updated the router firewall to block out the offending sites that didn't reply back on the hack attempts.
I will be watching the security and file transfer logs for the next week on a daily basis to see if that works. My lesson is that I should have checked all of the default settings and read up on what they were before letting the FTP server loose.

Update 2006/10/06: Another site has replied back that they are looking at the problem. I believe them as I have not had a hack attack for almost a week from their IP ranges. It helped that I wrote a short, but, nice note and then attached the log showing the full attack for them. Their reply was just as polite and very professional. The change I made to turn off FXP seemed to have stopped the hackers from dropping files on my server as I have not seen any activity there for the last week.

No comments: