ftp attack on our DNS server

[ponetguy2]

Hello everyone, someone is trying to ftp to two of our external DNS server. Here is the log from our DNS server in /var/adm/messages:

DNS #1:

Nov 7 04:25:19 xxxxxxx.xxxxxxx.com ftpd[13959]:
Administrator (bogus) LOGIN FAILED [from 206.135.232.188]
Nov 7 04:25:20 xxxxxx.xxxxxxx.com ftpd[13960]:
Administrator (bogus) LOGIN FAILED [from 206.135.232.188]
Nov 7 04:25:22 xxxx.xxxxxxxx.com ftpd[13961]:
Administrator (bogus) LOGIN FAILED [from 206.135.232.188]


DNS #2:

Nov 7 04:25:15 xxxxx ftpd[4757]:
Administrator (bogus) LOGIN FAILED [from mail.iupgrade.net]
Nov 7 04:25:16 xxxxx ftpd[4759]:
Administrator (bogus) LOGIN FAILED [from mail.iupgrade.net]

This guy tried numerous attempts. I think he is using some type of hacking software. Any ideas on how I should approach this issue? I don't have any experience w/ security. My previous job, we worked on our own private netework which was not exposed to the internet.

 

[ericbrunson]

Welcome to the internet.

You could contact the owners of iupgrade.net, but in all actuality, if that's all the attacks you're getting, you're lucky. The best you can do is make sure your ftp server is secure and you have strong passwords, the internet is a wild and dangerous place now-a-days.

 

[ponetguy2]

I emailed the ISP providor informing them that an ftp attack was attempted which came from their network.

 

[kHz]

Make sure your name servers are secure! When I installed our new external name servers, I ran the CIS benchmark tool (and corrected negative findings) and ran the Solaris Security Toolkit (aka JASS). I also have all services turned off (SST took care of that). BIND is also the ONLY thing running on these servers.