FileZilla Forums

Hello,

is there a way to disable version and FTP server name showing in welcome message? In FileZilla server 0.9.x setting custom welcome message was hiding FileZilla Server default message. IMHO it would be good for security reasons to not show any info about FTP server version or at least allow in configuration to disable it. What do you think?

Thanks

P.S. Setting Custom welcome message only adds new line to Welcome message next to server name and version.

No, this cannot be disabled. Hiding version numbers does not add security. If unsure, the attacker just tries attacks against all versions. Takes a few seconds longer, result the same.

All versions of what? All versions of ALL FTP servers available? If yes then it would end up with IP banning right? I'm talking about possibility to completely overwrite banner where I can remove FTP server name and version.

I have to agree with this. For security, it should not announce that it is Filezilla or a version number.

You have to do the same with web servers for PCI compliance, so the same should be true for FTP.

Also given that we are currently being recommending upgrading to FileZilla Server 1.7.2 due to a security vulnerability in older versions, it would seem like a good move.

Hello,

any chance to have any response regarding possibility to hide server name and version in banner?

My previous statement still holds. Even disregarding all user-visible strings, it's trivially easy to identify the used server software purely from behavior. Hiding product names and versions only ever adds a false sense of security.

Ok. Thanks for response

I agree that removing the banner doesn't add to security. That said, the option to remove the banner also doesn't harm security, so having the option to hide the banner isn't harmful and may cause enough of a delay that systems can detect malicious actors.