We have been picking up a lot of brute-force FTP login and authentication attempts against the Administrator account of our honeypots.

The actual packets of one of the said attempts can be viewed here. Note that the passwords used (like "qwerty", "12345", "password", "pass", "newuser", "newpass", "notused", etc.) are the commonly used "temporary" passwords for new accounts. Obviously, attacks like these are aimed at systems with lax password management protocols.

In light of this, here are some tips / guide for administrators:

• force passwords to expire on a regular basis, be it monthly, quaterly, or on some other schedule - and force users to change their old passwords.
• users should be forced to use their new password for a period of time before being allowed to change it again.
• users should not be allowed to re-use an old password and the system should be able to keep or record previously used passwords for a given user.
• a minimum password length should be enforce and also force the users to contain their selected password with some minimum number of upper-case characters, numbers, and non-alphanumeric characters.
• passwords should be compared or checked against a "dictionary" of easily guessable passwords or strings that are commonly hit by the standard password "cracking" tools.
• set a given account to be disabled after a certain number of failed logins except for administrative accounts.
• user names should also be considered. deny "default" user names either with super (administrator, root, et.al.) or those with restricted privileges (nobody, et.al).
• FTP server shouldn't verify the existence or non-existence of the user names entered as to hinder this guessing attack
• check your network for FTP services that you're not aware about, especially those hardware with embedded OS.

This special advisory is just to remind administrators that sometimes, it is the small things that tend to make big holes. In this case, it is always a good idea to implement stricter measures in password usage particularly in setting up temporary passwords for new accounts.