Server Feature request

Moderator: Project members

Post Reply
Message
Author
cjbujold
504 Command not implemented
Posts: 6
Joined: 2012-05-17 18:41

Server Feature request

#1 Post by cjbujold » 2015-06-29 12:28

To reduce the load on the server, add a list of known username that are automatically disconnected and the IP is banned if used. The ban option is good but many of the hack attempts are trying to use specific username to access the FTP site. Usernames like "admin" could be automatically flagged as bogus and Filezilla would automatically drop and ban any connection trying to use such known username. Or even better you could automatically ban an IP trying to use a non-existing username after 3 attempts for example.

This would reduce the noise in the log files and reduce the CPU cycles spent on needless login attempts.

Thanks

User avatar
boco
Contributor
Posts: 25279
Joined: 2006-05-01 03:28
Location: Germany

Re: Server Feature request

#2 Post by boco » 2015-07-10 04:55

'admin' can be a perfectly legal username. Also, please note that Autoban is deprecated and scheduled for removal in a future version.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

cjbujold
504 Command not implemented
Posts: 6
Joined: 2012-05-17 18:41

Re: Server Feature request

#3 Post by cjbujold » 2015-07-10 12:47

I agree that admin can be a legal name. My request is for Filezilla to know what are the legal usernames registered in Filezilla and anything that is not a valid name be automatically blocked/dropped. For example most hackers will try names like test, admin, the name of the domain, the name of a website, etc.. to try to find an open door. If they only have 1 chance to get it right, they will move on. For users, they know their username, so it does not pose any problems.

For example in Wordpress the WordFence firewall can bloc/drop any user trying to use a non-existant username and block them for 30 minutes , as an example. The advantage of this is that they are blocked and cannot keep on trying other usernames, saving resources. Dropping an offending IP takes less resources than going through the signon to be dropped at the end because the username is invalid.

I understand that the AutoBan feature is going to be dropped, but I am suggesting we still need something to limit the resources used by hackers. By dropping them immediately, most will quit within a few minutes versus having somebody try for 8 hours.

Maybe the better question is how do you deal with constant attacks to the FTP. What we see are more attempts than actual users. What do you suggest to reduce the load on the FTP server.

User avatar
botg
Site Admin
Posts: 33171
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Server Feature request

#4 Post by botg » 2015-07-10 13:37

Dropping an offending IP takes less resources than going through the signon to be dropped at the end because the username is invalid.
Consider the resources it takes to keep a list of offending IP addresses. This list can very fast get very big and expensive to maintain.

cjbujold
504 Command not implemented
Posts: 6
Joined: 2012-05-17 18:41

Re: Server Feature request

#5 Post by cjbujold » 2015-07-10 14:16

Disagree, since the table would only need to have two columns, The Offending IP and a time stamp. If the system is set by the administrator to band for 30 minutes or 1 hour or 1 day for example the list would grow but could be easily shrunk again by the next logon attempt that runs a cleanup on the table. The clean up would delete any entry that is passed the set time band. Allowing Filezilla to only look at an active drop list and take a drop action if needed. if they keep getting dropped they will stop trying.

Also this option could be user enabled so if you have an overtaxed FTP server you can choose not to use it. The resources used I think would be less than some idiot trying for 12 hours every few minutes. Our server averages about 5000 such attempts everyday and typically only represent about 50-75 such idiots. Analyzing the log everyday to see if a client has issues takes a lot of resources, just cutting the log down by eliminating these idiots would be beneficial for us.

Or maybe give us a log analysis program that can quickly identify unsuccessful attempts by real users versus access.

Thanks for a superb program, we truly like it and are just trying to make it even better.

cjb

User avatar
botg
Site Admin
Posts: 33171
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Server Feature request

#6 Post by botg » 2015-07-10 14:31

There are 4 billion IPv4 addresses. Timestamp and IP would require up to 32GiB of RAM in the worst case.

Now there's IPv6 where literally everyone gets at least 4 billion times 4 billion IPv6 addresses. These tables can get ginormous.

cjbujold
504 Command not implemented
Posts: 6
Joined: 2012-05-17 18:41

Re: Server Feature request

#7 Post by cjbujold » 2015-07-10 15:40

I don't think I'm making myself clear. I don't want to list 4 billion or more addresses only the 50 to 75 IP addresses that are trying to get into our system.

This represents about 2K not 32GiB of RAM. The list would only contain the IP's of the users having tried a non-valid username. A username that does not exist on our system. I don't understand where you are going with listing all IPs in the world. Nobody would do that, only list the offending IP's .

If I take a look at our current log this represents about 50-75 IPs max. But the option would kill about 5000 non-valid login attempts.

The memory it would use is small by todays standards, and again if you are running on a low end server turn the option off. You don't need to use it. Few Servers exist today that can spare 2KB of Ram memory.

Post Reply