[Click here for a Windows Server 2008 version of this article]
A client of mine utilizes the Microsoft FTP service in Windows Server 2003 IIS 6.0 on a public web server.
Unfortunately, the FTP service is notoriously insecure since it transmits passwords in plain text. It also does not offer any way to block brute force or dictionary attacks. Because of this, the client was seeing multiple failed logins from the Administrator account, several times per second. These show up as warnings in the System event log from the MSFTPSVC source with event ID 100. Since I always rename the Administrator account as a standard best practice, it was obvious these attempted logins were coming from an attacker.
Windows Server 2008 will offer Secure FTP (or FTP over SSL) as a separate download for IIS7, which will be the first major improvement to the protocol since it was developed. But being that my client is running Windows 2003, this isn't an option.
The solution I used involves the Windows EventTriggers utility. I created a batch file named C:\Scripts\ResetFTPService.bat, as follows:
net stop msftpsvcThe batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.
ping -n 10 127.0.0.1
net start msftpsvc
To make the script run automatically on the correct event, I use EventTriggers as follows:
eventtriggers /CREATE /TR "Reset FTP Service" /TK C:\Scripts\ResetFTPSVC.bat /L System /EID 100 /SO MSFTPSVC /RU ""This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source MSFTPSVC is logged in the System event log. The /RU switch causes the task to run under the Local System account, which has the rights necessary to run unattended.