Brute force. Discussion on the technology of FTP server and its prevention measures share _FTP server

People usually think that brute force attack is only an attack against an FTP server, can it be representative?

With the development of the Internet as a result of a large number of fool hacker tools, the threshold of any kind of hacker attack has been reduced a lot, but the brute force method of tool making has been very easy, we usually think that the brute force attack is only targeted at an FTP server attack, can be representative? Can it be extended to other networks? or servers? The answer is certainly yes. Brute force to crack this software, use not what technical content principle is one after another try, until the correct password is tested, that is cracked successfully. But this kind of crack way success probability is not high, time-consuming, the technical component is low, is not compelled to use. In the actual situation of the network, although many FTP servers are through layers of security protection, even after the protection of the FTP server, the attacker can simply adjust the attack mode, the use of violence to break a rapid breakthrough. This paper discusses the impact of various attacks on the server, only for network managers in peacetime work, the development of security precautions for reference use.

　　First, the network itself load capacity and high-speed network

All network attacks are based on the network, which determines that the network is the root of all network attacks, security protection technology. If an attacker is in an environment of extreme lack of network resources, it is not enough to launch a high-level cyber attack. At the same time, if defenders are in a network that is not excellent, the normal service itself is difficult to provide for normal users, let alone network security protection.

1. Network bandwidth constraints

From the beginning of the internet has just appeared, to the popularity of today's network, the network of older netizens have experienced the use of modem dial-up access to the difficult, but also experienced 1mb/s, 2mb/s and even 10mb/s high-speed network, and network security, also experienced such a from slow to fast, From low to high speed, in the process, many of the original seemingly impossible attack technology, also can be very smoothly launched. Many attackers will find a strange phenomenon when they do this: just a distributed brute force attack on the target, and 10 minutes later the target server is paralyzed because of bandwidth congestion ...

This is a very ironic thing for an attacker, because the attacker's goal was to get some confidential, internal FTP data through brute force, but inadvertently caused the overall paralysis of the target, which was obviously the result of an attacker's unwillingness to see it. This is one of the problems that attackers and network security engineers have caused by network bandwidth.

On the other hand, violent cracking because of its own characteristics, all the verification process by submitting information to the server, access to the server to return information and judgment. In this process, whether the server's network bandwidth quality, or the attacker's use of the zombie computer itself, the speed of the network bandwidth, to a large extent, determines the length of the violence to break the entire completion time. In terms of the current network bandwidth, to smooth, high-speed launch of the FTP brute force attack, or a certain degree of difficulty. In general, attackers using hundreds of zombie computers to attack is already the limit of brute force, because even if the additional zombie computers, network bandwidth restrictions do not allow more data to send and receive. So the second factor that limits the overall efficiency of brute force attacks is the quality of the network bandwidth of the zombie computer itself.

From the current stage in the domestic and international dynamic network speed upgrade, it is not difficult to foresee the near future, the overall network speed will be greatly improved. Like South Korea, which is internationally recognized as the fastest-growing country in the world today, the average internet speed is 10mb/s,20mb/s or even more.

Although the speed of the network is developing rapidly, it is impossible for an attacker to encounter a zombie computer with a high-speed network or a target server. So there are readers asking: how does the current attackers solve the problem of network bandwidth? In the future, if the overall speed of the network has been greatly improved, the attacker's violent cracking attack and how to develop it?

2. Internal high-speed network and distributed cracking to solve the bandwidth problem

Solve the first question: How does an attacker at this stage solve the problem of network bandwidth? For example, an attacker attempts to gain access to the FTP account of a member-made web site because there is a lot of in-house paid information. But this membership Web server network bandwidth quality is not high, if the use of distributed brute force attack, perhaps more than 10 zombie computer is enough to make the server paralyzed, the attackers obviously do not want to see this happen.

In the actual network attack case, many attackers have encountered such a problem, their solution is also very clever, but also very practical: the use of high-speed internal network communication to solve the network bandwidth problem of brute force. Have a certain network experience of netizens know, China is now the server, is generally hosted in IDC or computer room, and under normal circumstances IDC or room will be a lot of network bandwidth restrictions, in the room of the portal routing or cabinet firewall on the limits of bandwidth, Let the network bandwidth from the outside becomes very narrow-after all, the computer room in many cases is through the bandwidth to carry out escrow charges.

Now the server configuration is generally gigabit NIC, but the external network bandwidth can not do gigabit full. General Small and medium-sized site can buy 5~10mb/s independent bandwidth is very good, that is to say such a server in the provision of external access, even if the network is blocked, users do not open the site, FTP can not provide normal services. In fact, the server itself in terms of hardware performance, there are also a great deal of redundancy can be used to provide network services, but the access network bandwidth is not enough. On the current domestic overall network security awareness, for senior attackers, in a storage room of hundreds of servers to find a "chicken", is not difficult technical problems. What's the use of finding an internal server like this? An attacker can of course choose to initiate a brute force attack. For a gigabit NIC, if it is in the internal network access, data transfer and network loss can be overlooked. This is like the two home computers connected by a 1mb/s ADSL cat, although downloading files from the network is probably only 150mb/s speed, but if the two computers transfer files between, 8mb/s intranet speed is very easy to achieve. Therefore, at this stage of the attackers if you want to launch a very high efficiency of the FTP brute force, in the network bandwidth of the target server is bound,-the server in the cabinet, and use the characteristics of high-speed internal network to launch an extremely fast FTP brute force.

Another question: If the overall speed of the network has been greatly improved in the future, how will the attack of the attacker's brute force be developed? In fact, this problem has been solved in large scale compared to the first one, and many attackers have now launched the attack, that is: distributed brute force cracking. All of the attackers are unable to launch a wide range of distributed brute force attacks because of network bandwidth problems, due more to the network bandwidth constraints of the target server than to the botnet's own network bandwidth. Because the network bandwidth of the botnet is not enough, even if it is very slow, the attacker can use the quantity instead of quality, using many of the bad network of zombie computers to launch large-scale brute force, after all, because of low awareness of network security, zombie computer is very easy to capture. When the bandwidth of the target server is greatly enhanced in the near future, attackers can use thousands of zombie computers to launch large-scale distributed brute-force attack attacks, as long as the target computer's network bandwidth is sufficient to withstand such attacks, The attacker would then be able to perform a brute-force attack on a seemingly large set of ciphers in a very short time.

　Second, CPU operation, processing capacity of the solution

Compared with the hardware performance of a few years ago, the computing power of computer and server has been developed rapidly. As computer experts generally agree, it can be foreseen that the improvement of hardware processing capability will continue and steady progress over a long period of time.

1. The bondage of computational processing power

In the case of brute force, the ability of operation processing includes two aspects: one is the processing ability of the target server, the other is the processing ability of the computer initiating the attack. The processing power of the target server determines how many levels of attack the attacker can use.

For example, for a common small FTP server, the typical configuration is about 4GB CPU speed, 2~4GB memory capacity. For such a small FTP server, without considering the theoretical state of network bandwidth, attackers use the 10000~20000 of violence per second to break the attack efficiency is basically reached the limit, even if the attackers to launch more efficient brute force can not achieve faster results. In reality, it is simpler for attackers to launch such an efficient attack, even without using a large scale zombie computer group.

With the development of computer hardware, if the server in the process contains a number of instructions FTP brute force to crack information, can do hundreds of thousands of, millions of times per second of the request and response operation, the attacker can completely open their hands and feet to brute force attack.

Now in the network, some attackers use a large zombie computer group, the launch of 100,000 times per second of the FTP brute force to crack the request, because the process of the FTP brute force to break through the connection to the server → access to the connection information → send the account → Obtain the demand password information → send the possible password → get feedback → to initiate the Such a process is cyclical, so seemingly fast server processing capabilities do not meet the ever-accumulating attacker's computer connection request. This leads to a lot of attack computer sent password authentication information is discarded, attacking the computer can not get the normal server return information, resulting in violent cracking failure. The processing power of the attacking computer determines whether the attacker needs to use a distributed brute force to crack the attack. Unlike the targeted server, the ability of the attacker to control the zombie computer does not directly determine the success or failure of brute force, but it has a very important impact on the overall time and success rate of brute force cracking.

In the theoretical limit, regardless of network bandwidth, only consider the hardware processing power, if the FTP server processing a complete FTP connection request one out of 10,000 seconds, while the number of requests can be processed at the same time is 10,000. So the perfect brute force model is to use 10,000 zombie computers to complete a brute force attack within one out of 10,000 seconds. In other words, the smallest target server to deal with the ability to use the target server's maximum processing power to brute force. Such violence to crack attack success rate theory is 100%, and in the guarantee of success rate, based on the shortest time. So how do current attackers address server and zombie computing capabilities?

2. Distributed brute force cracking improves success rate

Distributed brute force cracking in many cases is to improve the success rate of protection. To the attackers, the target server's processing ability is not controllable, the attacker cannot improve the target server's processing ability, therefore must adapt the target server's processing ability, therefore uses the distributed brute force to crack the technology.

The advantage of using distributed poverty is that when the attacker does not know the load capacity of the target server, you can flexibly adjust the number of zombie computers to gradually explore the load capacity of the target server, in order to achieve in the target server is not lost packets, no false positives, under the premise of guaranteeing the highest success rate, Try to improve the time of violent cracking. For example, if the target server's load capacity is to handle 1000 FTP connections per second, account password authentication, and message delivery, the attacker could brute force a zombie computer that could complete 10 of these processes per second if the attacker used 10000 zombie computers, The target server's computational power is obviously not up to date, there may be false positives or wrong situation, the best scenario is to use 100 zombie computers, to meet the target server's operational capacity maximization, and also to ensure that 100% success on the basis of the maximum reduction of brute force cracking time.

In general, distributed brute force cracking is a test of an attacker's attack experience. If the number of zombie computers distributed is too large, the result may be a quick break, but the correct password cannot be obtained because of the existence of false positives and discards: if the number of zombie computers distributed is too small, it is possible to get the password you want, although it can be safely done with a complete brute force attack, but the time can be extremely long.

3. Write efficient brute force cracking procedures based on the performance of zombie computers

Another way to ensure the success rate of the premise, while significantly reducing the time for violent cracking is to adjust the speed of the violent cracking program. A brute-force hacking program that fits the capabilities of a zombie computer is very important during the attack.

If the brute-force hacking program runs on a zombie computer, it is beyond the capabilities of the zombie computer, and the result may be that the correct password will not get the correct result, because the zombie computer has been unable to complete a variety of information to send and receive and processing.

If the brute-force hacking program is easy to run on a zombie computer, system can have a lot of Jong Yu, in which case the entire brute force will be a long time to crack. Therefore, to launch a guarantee success rate in the premise, but also to shorten the time to break the attack of violence, need to attack the attacker according to their own zombie computer situation, the choice of different violent cracking program consumption, in order to maximize the success rate and time balance.

　　Iii. Breakthrough in Security strategy

If the network bandwidth and processing capacity are technically not technical factors, can not be controlled to optimize, then the security strategy is the most direct and most effective defense measures. In the case of brute force, the security strategy has a great influence on the success rate, the time and even the attack of the violent cracking. But the reason that brute force is a kind of universal attack is that it can go through the simple change of the attacker, and achieve the goal of breaking the security policy. It should be noted that the security policy in this section is a separate and brute-force security policy, and does not involve security policies that are unrelated to brute force cracking, such as password duration, password length, and communication encryption.

1. Connection frequency limit and its breakthrough

With the increasing awareness of network security, the administrator who attaches importance to security generally restricts the connection frequency of the FTP server. The so-called connection frequency means that the administrator defines the number of connections for the same user within a specific time period, within which the connection can be arbitrary, and if the limit is exceeded, the connection is rejected.

The network security engineer or the administrator through to the connection frequency limit, on the one hand can allocate the FTP server processing computation ability reasonably, avoids a certain user because uses the super fast connection to occupy the server resource heavily, On the other hand, it can effectively limit the common password based brute force attack.

You are aware that there are also other times and connection frequency restrictions in the actual network, not necessarily a 5-second connection, or 10 seconds to allow the next connection. If it is the default efficient FTP brute force, usually is a second to initiate hundreds of connection attempts, greatly beyond the scope of the server allowed, so the brute force is obviously not successful, will be the server has refused to connect. In this case, an experienced attacker who discovers that the target server has such a connection frequency limit will appropriately modify the connection frequency of the brute force cracking program, allowing the attack program to brute force in the context of satisfying the security policy.

For example, an attacker could fully define an attacker to attempt an FTP brute force attack every 5.1 seconds to avoid security policy restrictions. Such a frequency-limiting strategy seems to greatly impede the performance of brute force cracking, but if only this security strategy can prevent an attacker from initiating efficient brute force, the attacker could actually improve the efficiency of the entire brute force by altering other attack strategies.

2. Trial error limit and its breakthrough

The number of error limits is more common than connection frequencies, and the security policy is used by administrators or engineers of many FTP servers on the network. The limit of the number of attempts to error is the number of errors that an FTP user has taken, and the user's connection is denied for a short period of time after the user's password attempts exceed the specified number of times. For example, a network security engineer can set a security policy that starts with a user attempting to log on and 5 consecutive password errors, returns an error message, and rejects the user's next password verification in the FTP system until the limit time is over.

The benefits of doing so can largely limit the initiation of common brute force cracking attacks, as many brute force-cracking attacks seek a correct password in countless errors. If this strategy is met, brute force cracking has little success. But the limit of the number of errors is actually a breakthrough, and the way to break it is not difficult.

For experienced attackers, once the target system has been found to have the error limit, it will be manually validated by the way to thoroughly find out how many password errors are allowed, the subsequent rejection of the connection time is how much? Once you figure out these two points, attackers can easily adjust the brute force strategy to break the limit. For example, if an administrator limits 5 consecutive errors and 30 seconds after the connection is not allowed, the attacker could define a brute-force crack program to be 5 times a loop, pausing 30 seconds for each 5 attack, and then continuing with the attempt. Another way is to try a new account every 5 times, and when the server starts rejecting the current account connection, use the new account for brute force hacking attempts until all the user names try to start over again. Another approach that most attackers use is to use distributed attacks to address the limits of the number of errors, with each zombie using a standalone second, followed by subsequent attempts.

3. IP Lock and its breakthrough

Compared with the above two security policies, IP lock is more difficult to solve some, but as long as the target FTP to consider the use of normal users, the brute force can certainly be launched. IP lockout policies are generally used in conjunction with connection frequency and error number policies, which means that when an account is connected, if the connection frequency is too high or the number of errors exceeds the limit, the IP lockout strategy is applied.

In the real network, the IP locking strategy has two typical applications, one is when an account is abnormal, the FTP server records the IP address of the account, and then add their own blacklist, from now on to reject this IP connection, unless the user contact admin to remove blacklist restrictions; Another way is that the IP limit is temporary and will be automatically lifted over time. In the case of automatic lifting restrictions, attackers can make the same approach, adjust the cycle time of brute force cracking, and continue to initiate violent cracking attacks after limiting time. For permanent blocking of IP, there are four ways to break through:

(1). Use agent to break through IP blockade

Simply using a proxy for FTP brute force can not break through the IP lock, only the brute force crack program to automatically read the proxy list, and then the target system allows the case to initiate several violent cracking, and then replace the agent to continue to launch attacks. Although this method is simple to achieve, but the actual effect is not good, because even if the network attacker can not guarantee the construction of a sufficient number of agents, and the connection speed is stable, do not produce unexpected data received errors of the agent group, how to get more agents? We can go to the web search, can also use their own agent hunter to find agents, his biggest feature is the search speed, the fastest in more than 10 minutes to search a B-class address. If the simple agent can not meet the needs of the words we may also change the Muti proxy to achieve the IP dynamic free switching function, through the use of sockscap+sksockserver to achieve a perfect combination of the requirements of the combination agent. shown in Figure 1 and 2 below.

　　

Figure 1

　　

Figure 2

2. Use ADSL class dynamic IP mechanism to break through IP blockade

Many people know that ADSL each redial after the allocation of a new IP, and the network has been a lot of automatic dialing procedures, if the attackers are willing to write a similar program and the violence to match the program, can do without discrimination of violence. Of course, you can also meet your requirements by using your own automatic dialing programs on your network.

This approach is generally good, but there is a certain requirement for the attacker's zombie computer.

3. Using programs like Steganosintemet anonym Pro and Hide IP easy to break through IP blocking

　　

Figure 3

Steganos Internet anonym Pro is a foreign top hacker to study the automatic change of IP, the program is a powerful network identity hidden tool software, users can easily hide their own IP through the software, the replacement of their own IP. In general, Steganos Internet anonym Pro IP change is 1 seconds, while the IP address location in the UK for a while in Canada, the conversion frequency is very fast. In principle, Steganos Intemet anonym Pro is a proxy for the constant change of IP address, so before IP address transformation, it is necessary to test whether the program's internal proxy server is working properly, and according to test results to filter the most stable performance of the proxy server, As shown in Figure 4. Using the Steganos Intemet anonym Pro to initiate a brute force attack, an attacker who appropriately adjusts the brute-force cracking program and the cycle interval to accommodate the IP transformation interval of Steganosintemet anonym Pro can completely ignore IP restriction policies.

　　

Figure 4

4). Limitation of computer identification and its breakthrough

The most cumbersome FTP security policy is to use the identity of the user's computer to limit the. The so-called user computer identification refers to the FTP server and the user's computer interaction, the server through some way to record some of the user's computer identification, such as MAC address, ccookies information, hardware number. When the administrator sets the connection frequency and the error number limit is reached, the FTP server identifies the user's computer according to the computer's identity, which limits the connection.

Such restrictions do not appear on the web, but some profit-making organizations abroad often use such methods for security, such as investment companies, stock advisers, illegal betting and other sites. Technically, such a strategy is more ruthless, it is difficult to attack the FTP server under such a strategy, but not helpless. For example, the common restrictions are realized through the MAC address identification of the network card, and the MAC address can be changed, the attacker can write their own program, every time the violent crack initiation, change the MAC address. Of course, the network is full of MAC address change program, and even a lot of hardware information can be randomly generated, such as Mac makeup, such as Figure 5

　　

Figure 5

If the target FTP server is the use of cookies and other information to assist verification, the breakthrough method is much simpler. Attackers can program their own to achieve every violent break before each purge cookies, can also use Steganosintemet anonym Pro and other tools to achieve cookies automatically deleted, browsing records automatically deleted.

Iv. Coping measures third-party software Fail2ban reinforcement method

Magic One foot, overall, as long as the FTP server in a vain attempt to let normal users to use, to completely eliminate the violence of FTP attack is very difficult, at least there is no way to achieve, the following we use Third-party software to strengthen, after the author long-term comparison found Fail2ban for the solution of violent cracking, Illegal scanning can play a better effect, it is based on the firewall chain to add a new rule composition, and send e-mail to notify the system administrator. Fail2ban can be used not only to automatically identify possible violent intrusions, but also to analyze them according to fast and easy user-defined rules because the Fail2ban principle is to invoke iptables to block external attacks in real time, to find a log that meets the requirements for a period of time, and then move, So your system must have iptables, and Python support.

1. Download and install:

Installing Fail2ban on a Debian based system is very refreshing. Execute the following command as the root user

# Apt-get Install Fail2ban

In the Gnu/linux system on the source code installation, in order to compile Fail2ban, you need to download the latest source code (HTTP://SOURCEFORGE.NET/PROJECTS/FAIL2BAN). When acquired, you can change your source directory and execute the following commands:

#tar XVJF fail2ban-x.x.x.tar.bz2

You will be in the current working directory to get a fail2ban of the extracted source directory. You need to CD to the new directory. Now perform the installation as root:

#./setup.py Install

Fail2ban will be installed in the/usr/share/fail2ban/and/usr/bin/directory, installed, slightly according to their own situation to change the configuration can be used.

2. System Configuration

A typical configuration file is as follows:

/etc/fail2ban/
├──action.d
│├──dummy.conf
│├──hostsdeny.conf
│├──iptables.conf
│├──mail-whois.conf
│├──mail.conf
│└──shorewall.conf
├──fail2ban.conf
├──fail2ban.local
├──filter.d
│├──apache-auth.conf
│├──apache-noscript.conf
│├──couriersmtp.conf
│├──postfix.conf
│├──proftpd.conf
│├──qmail.conf
│├──sasl.conf
│├──sshd.conf
│└──vsftpd.conf
├──jail.conf
└──jail.local

Each. conf file is overwritten with a file named. Local.. conf is first read, followed by. Local. The new configuration will overwrite the previous. Therefore, the. local file does not have to contain each option corresponding to. conf, just fill in the settings you want to overwrite.

First edit fail2ban.conf

#vi/etc/fail2ban.conf #以 Daemon way to start Fail2ban
Background = True #允许尝试次数
Maxfailures = 3 #触发 maxfailures after the blockade time (seconds); Set to-1 means permanently blocked
Bantime = 3600 #以 findtime (seconds) Error record as Maxfailures count Datum
Findtime = #排除 IP range, separated by white space
Ignoreip = 127.0.0.1 192.168.0.0/24 #不启用 Mail Notification
[mail]enabled = False #修改自 vsftpd, the part not mentioned keeps the original setting
[proftpd]enabled = True
LogFile =/var/log/proftpd/proftpd.log
Failregex = no such user| Incorrect password #未提及的部份保持原设定
[ssh]enabled = True
LogFile =/var/log/secureservice Fail2ban

Start this service start, every day in the/var/log/fail2ban.log can see the attack of the chicken was ban.

The next step is to copy the initialization script to the system's/ETC/INIT.D directory, execute chkconfig and update-rc.d or create a symbolic link manually, set permissions

# chmod 755/etc/init.d/fail2ban
#chkconfig-A Fail2ban
#ln-S/etc/init.d/fail2ban/etc/rc2.d/s20fail2ban

Finally, consolidate fail2ban into the log loop

/var/log/fail2ban.log {
Weekly
Rotate 7
Missingok
Compress
Postrotate
/usr/local/bin/fail2ban-client Reload 1>/dev/null | | True
Endscript

Finally, Iptables fine-tuning, only allow each group of IP at the same time 5 21 port forwarding, similar functions you can go to play.

#iptables-A forward-p tcp--syn--dport 21-m connlimit--connlimit-above 5--connlimit-mask 24-j DROP

OK, after installation, configuration, let's look at the effect of using it, first browse the Iptables

#iptables-L-NV
Pkts bytes Target protopt in Out source destination
12740 fail2ban-ftp TCP--* * 0.0.0.0/0 0.0.0.0/0 TCP dpt:21
3354 253K fail2ban-ssh TCP--* * 0.0.0.0/0 0.0.0.0/0 TCP dpt:22
438 33979 FAIL2BAN-HTTPDTCP--* * 0.0.0.0/0 0.0.0.0/0 TCP dpt:80
Chain FORWARD (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination
Chain OUTPUT (Policy ACCEPT 5703 packets, 829K bytes)
Pkts bytes Target prot opt in Out source destination
Chain Fail2ban-ssh (1 references)
Pkts bytes Target prot opt in Out source destination
3354 253K Return All--* * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ftp (1 references)
Pkts bytes Target prot opt in Out source destination
12740 return All--* * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-httpd (1 references)
Pkts bytes Target prot opt in Out source destination
438 33979 Return All--* * 0.0.0.0/0 0.0.0.0/0

View the Fail2ban log

The following command allows you to easily see the recorded illegal brute force to crack IP

Finally, we should note that Fail2ban is a log analyzer that does nothing before writing to the log. Most system log daemons will buffer their output. This may conflict with fail2ban performance. Therefore, it is best to prevent buffering your system log daemon to improve performance. At present, as long as the FTP server want to allow normal users to use, to completely eliminate the FTP brute force attack will be difficult, so to start from the subtle, as far as possible to reduce the probability of being violently cracked.