Leak of USERNAMES

[jcallaghan]

Earlier today I spun up a brand new VM, with a new external facing IP address.
I installed some commercial SFTP server software and opened relevant firewall port (22)
I installed a new download of FileZilla client on my laptop and connected to the server OK with some test credentials I'd created this morning.
Those credentials had not been shared.
Within 5 minutes of my login, my SFTP server had failed attempted logins from Latvia, China, and France.
USING MY MADE UP TEST USERNAME
So that's nice...
Anyone care to comment?
Similar thread will be raised as a support ticket with the vendor of the SFTP server software and the IP addresses of those failed attempts has been logged.
Some folk just can't be trusted.

[botg]

FileZilla does not transmit usernames over the network, with the exception of the username used to connect to a server, which is only submitted to that server. You can verify this yourself by studying the source code of FileZilla.

Assuming you did your due diligence verifying the host key of the server you were connecting to, this means that either the server software, the server machine or the client machine have been compromised. If you did not verify the host keys, any machine and network component sitting between the client and the server might be compromised.

[jcallaghan]

Due diligence? Really? The server I built has only existed a matter of hours. The OS and the SFTP Server software were fresh installs. The server is in a DMZ, and the client laptop is a commercially owned machine, issued to be by an IT company (the same company I work for, that hosts the DMZ), which is checked for all vulnerabilities with tiresome regularity. This is not a tin-pot setup - this is 3000+ IT staff.

I used your client for the first time today, to prove a simple connection attempt - to just quickly ensure connection could be established ahead of other work to be done. I would not normally use it, but if I'm hosting an SFTP server, I'm expecting others to use FileZilla in some cases to connect to it. I assumed that the first response would be 'it's not us'. I'm not losing any sleep - jut wanted to point out that within minutes of using your software, my IP address and username had been compromised.

[botg]

Due diligence? Really?

If you don't carefully compare host key fingerprints, a man-in-the-middle proxy can intercept traffic unnoticed. This is why it is important to be diligent to compare fingerprints.

The server is in a DMZ

Please avoid using the term DMZ as it is a misnomer, a DMZ is fully militarized, being exposed to the entire hostile internet. The term exposed host fits way better.

This is not a tin-pot setup - this is 3000+ IT staff.

Size does not matter. One could argue that large companies have worse security due to focus on compliance instead of actual security.

I assumed that the first response would be 'it's not us'. I'm not losing any sleep - jut wanted to point out that within minutes of using your software, my IP address and username had been compromised.

Correlation is not causation.

[southrivertech]

Sorry if I'm chiming in late...

Yes, you will absolutely see brute force username attacks with any SFTP server you launch with a public connection on port 22. Odds are, you will see attacks with 10-20 minutes of the server being online, possibly much sooner. There are bots out there which will simply hammer any and every IP address on the planet with an open port 22 and randomly test username access against common usernames and databases of known usernames.

The first thing we tell our customers (full disclosure, I work for SRT, makers of Titan FTP Server), is to choose any port, just not port 22, for your SFTP server and then immediately implement both an IP whitelisting and brute-force attack prevention strategy.