Hi everyone,
So I get up this morning and find a nice message from BFD stating that a certain IP had been banned outright because of repeated attempts.
This is nothing new, we have on occasion had a bot or two get stonewalled for attempting bad usernames/passwords a few times too many.
What's worrisome in this case, is that the attacker actually held 3 valid usernames that they cycled to get in a few more attempts than usual.
Checking the httpd access log, it appears that a dictionary was involved, where there are a great number of GET requests tilde type userspaces. The usernames that were used in the FTP attack, were indeed in the dictionary used during the GET requests (discovery process?). What's confusing however, is that tilde type access is turned off on our machines -- so how would the attacker have been able to confirm that the usernames were valid?
I notice also that in httpd's access_log, some names are repeated:
Any tips from experience most always appreciated.
Best always.
Alex
So I get up this morning and find a nice message from BFD stating that a certain IP had been banned outright because of repeated attempts.
This is nothing new, we have on occasion had a bot or two get stonewalled for attempting bad usernames/passwords a few times too many.
What's worrisome in this case, is that the attacker actually held 3 valid usernames that they cycled to get in a few more attempts than usual.
Checking the httpd access log, it appears that a dictionary was involved, where there are a great number of GET requests tilde type userspaces. The usernames that were used in the FTP attack, were indeed in the dictionary used during the GET requests (discovery process?). What's confusing however, is that tilde type access is turned off on our machines -- so how would the attacker have been able to confirm that the usernames were valid?
I notice also that in httpd's access_log, some names are repeated:
Any tips from experience most always appreciated.
Best always.
Alex
Last edited: