April 7th, 2006, 04:33 PM
How to trace a proxy..
I have someone that keeps trying to use a (I guess) password generator on my companies' FTP server.. He tries to log in via administrator and it seems to be trying a different password every 1-2 minute intervals... Of course it traces back to somewhere in China, so is there a way while he is trying to connect that I can trace it back to his true IP? He is actually trying as I type this.. I can of course keep blocking his IP or range and I truly need to limit the login attempts to 3-5 tries.. This is a newly set up FTP server and still working out the kinks... This might also be a different topic but I would also like to make this FTP server to appear to be invisible to the outside world, I currently have my router set to block ping requests but doesn't seem to do much good since you can go into nmap and do a -sS -v -P0 scan and find that FTP is open, how can I make it to where an nmap or any other scan will not reveal that port to be open... Mainly right now I want to track this certain IP so I can call the sys admin and let him know that this person is unlawfully trying to access my server... Thanks in advance..
April 7th, 2006, 04:51 PM
With the resources available to you, chances are you are never going to be able to track the IP. You can just block it all together - Probably not a bad idea since it belongs to a Proxy!
Dont know your set up but look in to deploying a firewall if you can, either software or hardware to filter traffic out.
Set it to drop the connection after 3 incorrect tries (or 5 depending on what you want)
//Are you sure it is a proxy? It may be that this guy is actually in China? If he is bothering to run a password cracker against your FTP server, chances are he may not be too bright!
April 7th, 2006, 05:22 PM
I think that Nokia is pretty much spot on.
Not really, that is how proxy servers work, you will just see them. I strongly suspect that this will be a bot and is using a machine that is owned rather than an intentional proxy server..................do you know anything that makes you think that it is a genuine proxy?
so is there a way while he is trying to connect that I can trace it back to his true IP?
Your only hope would be to contact the owner of the proxy as you would need to match to their logs for them to find out the connecting IP, which could in itself be a proxy.
I think that your two main problems are going to be the language barrier and the fact that most people are not keen to admit that they have been taken advantage of.
I am not sure if this is feasible but you might look at changing the administrator account name from the default, as that might cause the botware to give up and go somewhere else. I would still block the IP range etc. as Nokia suggested.
April 7th, 2006, 05:30 PM
I really appreciate your replies... The only reason I am thinking it's a genuine proxy is because I have since blocked 5 of his proxys ranging anywhere from the netherlands, U.S., to the latest being China... Once I kick him, then block him out he would come back in 10 minutes later under a different proxy... Now, I am using filezilla for an FTP server and I don't see an option to set it to not allow more than 3 login attempts... I only have the FTP accessible for 3 different user accounts because the FTP is used for 3 of my businesses under the same roof and on the same LAN.... This FTP is still in the preliminary stages so I am in still working out all the kinks... That all being said, what firewall would you all suggest, and maybe a different (more secure) FTP server, and lastly is it the firewall that you set to not allow a certain amount of login attempts?
April 7th, 2006, 05:51 PM
Administrative login to the FileZilla server can be limited to a specific port. I think the default is something like 14171 or something. You can set the firewall to block that port from outside your network. That may help.
You should be able to set the login attempts on the FTP server, or the local server for the specific accounts. The firewall will help you block ports and source IPs.
Depending on what you have available for a host system, check out ZoneAlarm, or Kerio. The have personal as well as heavier duty small network firewalls, and these can help you better shape the internal network traffic.
April 7th, 2006, 06:11 PM
They could still all be members of a "bot army" of owned machines.
I honestly don't know the details of this sort of stuff, but I do know that if he gets a "this account does not exist" type of message he will go away, as that tells him he now has to guess the user ID and the password.
That give me another idea. A few years ago (Win NT 4.0) I saw some software that restricted login to certain servers/applications from specific machines on the LAN.
I only have the FTP accessible for 3 different user accounts because the FTP is used for 3 of my businesses under the same roof and on the same LAN
Sorry I don't have any details and have lost my contacts where it was in use, but it might be worth checking out.
April 7th, 2006, 06:24 PM
I was using this ftp server called fastream. Its freeware for one version of it. If you're only allowing 3 users... it should be fine for you.
You call the usernames whatever you want. Give each user a separate home directory and set permission on what they can do. You can restrict/allow on an ip/basis. You can even restrict via country... so you can only allow connections from IPs in the US and Canada, etc.
Check it out. There are some limitations with the free version... such as number of user accounts. No quota or speed limitations though... The version I had was the "pro" version before they released two versions. The quota and speed limitations were quite nice.
I only used it so people could upload a couple of files to me. I wasn't really hosting much. It was just something that was very quick and easy to setup. I only used it for about 6 months or so.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
April 7th, 2006, 07:06 PM
Well if it is only needed on the local network.......dont accept remote connections. There is no reason for anyone to be able to log on to it via the internet if it is only needed locally.
Could you discribe your set-up?
April 7th, 2006, 07:37 PM
I will describe my setup, sorry I should have before.. What I have is the following:
I have a 14 computer LAN, 2 4-port routers and 3 switches that are linked together with many fiery/scanner/plotters/copiers running... I have 2 dsl connections (one on each router).. One router has dhcp server enabled and one the dhcp server is disabled... I have a dedicated box set up for just the FTP server... All I have running on the FTP server is windows 2000, an anti-virus program and Filezilla.. I pretty much have Filezilla set up as default.. I have dsl dynamic IP service so I have 3 noip.com accounts (1 each for 3 companies) to resolve the IP from dynamic to static to the FTP server.. Set up on the FTP box I have 3 accounts set up (one for each business) and each one has a folder for each business, and inside those folders the customers can read, write, append, delete files or folders for their use... The 3 different folders each have a user name and password which are probably easily guessable since they are the name of the company... I made it that way so it would be easier on my customers... Any of the other computers on the LAN can access the FTP folders on the FTP box by typing a username and password upon getting into them... (ie. administrator = user and password).. I have norton firewall on a few of the main computers that get email but have truly never had much of a need for firewalls on the others... The only problems I have ever ran into were the people trying to get into this FTP... So I guess I am wondering how I can make my router (the one the FTP is running off of) not appear to be running an FTP server to the outside world, it is a dlink 4-port.. and how to overall secure the whole network down...
April 7th, 2006, 08:09 PM
Going off your setup your FTP server should be unaccessable to the 'outside' world.
The should not be able to scan past your router and certainly should not be able to connect to it and run a password cracker against you!
Read my PM then get back to me buddy.
Until then - a quick solution would be to implement and ACL on your routers blocking traffic to port 20 & 21 try one that allows your internal ips only - which will by default block any IP not in that range.