View Single Post
Old 12th November 2012, 17:16
manarak manarak is offline
Senior Member
Join Date: Apr 2009
Posts: 263
Thanks: 32
Thanked 6 Times in 5 Posts

Originally Posted by Ben View Post
But isn't it more security by obscurity, as by limiting the activity time the time window for any trojan to spy the password is smaller.
Also if not enforcing this by default, I assume nobody will really take care of this option.
If the user / admin would know about the problem he would more than that make use of:
fail2ban against bruteforce on the server,
forced (or at least configured) ftps (!= sftp),
forced password policy (complexity)
forced password renewal (aging), optionally with time based deactivation.

To assist the admin, ISPConfig could alert on the ftp tab, if some of the above mentioned mitgation options are not in place.

Just as an additional idea on how to assist solving this issue.
Actually it is not, because all the cases I saw so far have been caused by the webmaster getting a trojan on his computer which did then mail out the ftp passwords the webmaster had stored in his system.

fail2ban is not going to help, because the bots already have the password.

But I can imagine that reducing the time window will inscrease security, because the bots are very likely to give up after some time if some passwords don't work.

In the meanwhile, virus sweeps will likely detect a problem on the webmaster's computer.

And restricting ftp access to certain IPs and IP ranges (from where the webmaster connects) will help a lot by simply not letting the bots in.
Reply With Quote