On Tue, 15 Jul 2008 08:02:34 +1200
Criggie
Tom the Lurker wrote:
Nathan Ward wrote:
On 14/07/2008, at 9:44 PM, Steve Holdoway wrote:
My pet hate is all these designers who just must have ftp access. Don't they realise that the ftp password is transferred in clear text over the internet? sftp is no big deal to set up either end.
Secure FTP doesn't save people who have poorly chosen passwords, which I imagine is what happened in this case, and is in my opinion a much more likely to be exploited problem than unencrypted FTP.
I agree, slack passwords are a crackers delight :)
And if you're not watching/analyzing your logs, its very easy to miss someone trying passwords.
I had a case where a customer's site had a backup DSL link, which wasn't really used. We got a cacti threshhold alert that said "DSL link using four times as much as last week!!!" (400 bytes/sec) Turned out that someone was trying all manner of usernames/passwords against an AS/400 running an FTP server. And it had been going on for hours. The usernames/passwords were anything from simple admin/root/ftpuser/jim/bob/mary through to obfusicated things like r00t/5up3ru53r/passw0rd/3TC...
Who's going to notice an extra 400 bytes/sec on a busy link, other than by monitoring logs for denied requests?
-- Criggie
I don't, but I run logcheck to *tell* me ( and fcheck to tell me of any file changes, and... )! tbh my production servers have a backdoor single account ssh access to the internet, which is protected by denyhosts, and all other access is from a staging server via vpn, still using secure ( but separate ) protocols. I don't care too much about the shortcomings of denyhosts, as a) it's protecting the emergency backup service, and b) I've got enough static ip addresses whitelisted to get in from - imo it's perfect for this job. OK, you *could* break in through a distributed attack on the ssh port, but the real risk to my servers is now human, from those with the relevant knowledge of the network configuration. But to me the chances of someone looking for a starting point 9000 miles from the server, breaking in, then going through a few other hoops before hacking across the vpn to the production server is remote enough to put a long way down my list. And, of course, I'm lucky enough not to have to support 1903 vintage IBM boat anchors (: Steve