Earlier today I spun up a brand new VM, with a new external facing IP address.
I installed some commercial SFTP server software and opened relevant firewall port (22)
I installed a new download of FileZilla client on my laptop and connected to the server OK with some test credentials I'd created this morning.
Those credentials had not been shared.
Within 5 minutes of my login, my SFTP server had failed attempted logins from Latvia, China, and France.
USING MY MADE UP TEST USERNAME
So that's nice...
Anyone care to comment?
Similar thread will be raised as a support ticket with the vendor of the SFTP server software and the IP addresses of those failed attempts has been logged.
Some folk just can't be trusted.
Leak of USERNAMES
Moderator: Project members
-
- 500 Command not understood
- Posts: 2
- Joined: 2019-03-29 14:45
- First name: Jim
- Last name: Callaghan
Re: Leak of USERNAMES
FileZilla does not transmit usernames over the network, with the exception of the username used to connect to a server, which is only submitted to that server. You can verify this yourself by studying the source code of FileZilla.
Assuming you did your due diligence verifying the host key of the server you were connecting to, this means that either the server software, the server machine or the client machine have been compromised. If you did not verify the host keys, any machine and network component sitting between the client and the server might be compromised.
Assuming you did your due diligence verifying the host key of the server you were connecting to, this means that either the server software, the server machine or the client machine have been compromised. If you did not verify the host keys, any machine and network component sitting between the client and the server might be compromised.
-
- 500 Command not understood
- Posts: 2
- Joined: 2019-03-29 14:45
- First name: Jim
- Last name: Callaghan
Re: Leak of USERNAMES
Due diligence? Really? The server I built has only existed a matter of hours. The OS and the SFTP Server software were fresh installs. The server is in a DMZ, and the client laptop is a commercially owned machine, issued to be by an IT company (the same company I work for, that hosts the DMZ), which is checked for all vulnerabilities with tiresome regularity. This is not a tin-pot setup - this is 3000+ IT staff.
I used your client for the first time today, to prove a simple connection attempt - to just quickly ensure connection could be established ahead of other work to be done. I would not normally use it, but if I'm hosting an SFTP server, I'm expecting others to use FileZilla in some cases to connect to it. I assumed that the first response would be 'it's not us'. I'm not losing any sleep - jut wanted to point out that within minutes of using your software, my IP address and username had been compromised.
I used your client for the first time today, to prove a simple connection attempt - to just quickly ensure connection could be established ahead of other work to be done. I would not normally use it, but if I'm hosting an SFTP server, I'm expecting others to use FileZilla in some cases to connect to it. I assumed that the first response would be 'it's not us'. I'm not losing any sleep - jut wanted to point out that within minutes of using your software, my IP address and username had been compromised.
Re: Leak of USERNAMES
If you don't carefully compare host key fingerprints, a man-in-the-middle proxy can intercept traffic unnoticed. This is why it is important to be diligent to compare fingerprints.Due diligence? Really?
Please avoid using the term DMZ as it is a misnomer, a DMZ is fully militarized, being exposed to the entire hostile internet. The term exposed host fits way better.The server is in a DMZ
Size does not matter. One could argue that large companies have worse security due to focus on compliance instead of actual security.This is not a tin-pot setup - this is 3000+ IT staff.
Correlation is not causation.I assumed that the first response would be 'it's not us'. I'm not losing any sleep - jut wanted to point out that within minutes of using your software, my IP address and username had been compromised.
-
- 504 Command not implemented
- Posts: 7
- Joined: 2016-09-21 16:24
- First name: South River
- Last name: Technologies
- Location: Annapolis, Maryland, USA
Re: Leak of USERNAMES
Sorry if I'm chiming in late...
Yes, you will absolutely see brute force username attacks with any SFTP server you launch with a public connection on port 22. Odds are, you will see attacks with 10-20 minutes of the server being online, possibly much sooner. There are bots out there which will simply hammer any and every IP address on the planet with an open port 22 and randomly test username access against common usernames and databases of known usernames.
The first thing we tell our customers (full disclosure, I work for SRT, makers of Titan FTP Server), is to choose any port, just not port 22, for your SFTP server and then immediately implement both an IP whitelisting and brute-force attack prevention strategy.
Yes, you will absolutely see brute force username attacks with any SFTP server you launch with a public connection on port 22. Odds are, you will see attacks with 10-20 minutes of the server being online, possibly much sooner. There are bots out there which will simply hammer any and every IP address on the planet with an open port 22 and randomly test username access against common usernames and databases of known usernames.
The first thing we tell our customers (full disclosure, I work for SRT, makers of Titan FTP Server), is to choose any port, just not port 22, for your SFTP server and then immediately implement both an IP whitelisting and brute-force attack prevention strategy.