Last Tuesday (4th of March) my FTP server was under attack for 6 and a half hours.
The attack started at 2AM and lasted until 8:40 in the morning. In that time, the attacker (which I concluded that it was a bot or a very idiot script kiddie) attempted almost 5000 logins using a username that doesn't exist in Linux (by default).
The attack was generated from a China IP (or at least this is what Google said) and at it's peak, it had nearly 15 login attempts/s. You can see in the image inserted below, that it started with 2-3 logins/s, then escalated quickly.
So now you'll ask: what have you done? How did you get rid of he attacker?
I didn't. I was sleeping like an angel at that time. I didn't know what happened until I opened Monitorix and saw the number of high bad logins. And if I wasn't curious about something else, I'd probably have found out a lot later. The attack just stopped like it started: automatically.
How do I know it was a bot? Well, if it were a real person and wanted to try everything to take over the control, then that person would have looked for more services, and scan the ports to find what OS I run, what FTP version I have, etc. If it were a real person, he or she could have read a file in the FTP in which I've written that I run vsFTPd 2.3.5 / Raspbian GNU/Linux 7 (wheezy). But no, the bot scanned for "Administrator" (existing in Windows by default) in several different languages. It was clearly a bot.
How can you protect yourself?
- using strong passwords. I nearly f*** a server by using a "what I thought it were a strong" password. It happened after three days after the sysadmin made me change my password. I changed it. Clearly it wasn't strong enough to resist a bruteforce attack on Windows.
- fail2ban. This is the best IP blocker ever, IMO. It works for almost all web services. The way it works is the following: it scans for a specific regex in a log file. Let's say that you configured f2b to search for the words "login fail". If these words are found in the log more than X times, in a specific timeframe, then the IP gets blocked for a number of minutes. The default settings work this way: if someone tries to login with a wrong user/password for more than 6 times in 10 minutes, then a blocking rule will be added and will block that IP for 10 minutes.
- if you run SSH, don't use passwords. Use a key instead of a password. And disable password login from your config file. If you want to be maniac, don't allow all IPs to connect to SSH. Limit the IPs to a range.
Until the next post, stay classy Internet!