IIS Feature Feedback
Better defences against bruteforce FTP Attacks
Last post Mar 19, 2014 09:11 AM by Montago
Mar 18, 2014 05:18 PM|Montago|LINK
It blows my mind that IIS has an FTP Service that doesn't have a single defence against password bruteforce attacks.
10 days after spinning up my FTP server, i've gotten several attacks were a single IP have tried 200+ user/password combinations.
so far, the only bad thing that has happened is that i've gained some rather large LOG files, but no one has gotten through - luckely i have strong passwords.
So my feature request is obviously some options to automatically block hackers by their IP, after X failed attempts.
More options to block attackers are welcome too !
IIS 8.0 solves this issue: http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-ftp-logon-attempt-restrictions
So i guess i have to upgrade to IIS 8.0 Express ... hmmm... i wonder what the difference to Win7 IIS 7.5 is..
Mar 18, 2014 09:10 PM|lextm|LINK
To be more specific, you need to upgrade to Windows Server 2012 and above.
IIS 8 Express is a development server for HTTP/HTTPS so it does not support FTP at all.
Mar 19, 2014 09:11 AM|Montago|LINK
dammit... i knew something was missing in the express...
Well, im NOT going to install Server 2012 nor Windows 8 ... its just too horrible to borther with.
I guess i'll continue my endeavour to extend IIS 7.5 with a custom Authentication :)