Server not logging: error 550

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
Macktek
550 File not found
Posts: 33
Joined: 2016-03-03 19:04
First name: Mack

Server not logging: error 550

#1 Post by Macktek » 2016-04-29 16:07

The server is not properly displaying error 550 on the screen log.
(The client sees the response, but it does not appear to be logged by the server).
How would I enable this?

Thank you.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Server not logging: error 550

#2 Post by botg » 2016-04-29 17:03

The client seeing messages that the server didn't send is a clear indication of a malicious router or firewall injecting fake messages into the control connection.

Macktek
550 File not found
Posts: 33
Joined: 2016-03-03 19:04
First name: Mack

Re: Server not logging: error 550

#3 Post by Macktek » 2016-04-29 17:42

I should have said... FZ server IP Filter (not a router or firewall IP block)
In this case I am function testing the client / server response to a blocked IP which has been blocked in the FZ server IP Filter settings.
FZ Client (physically) is a separate and distinct IP from physical server. And I am controlling the client.

Please note: Client works perfectly when FZ IP Filter is not blocking the IP. And client is appropriately blocked when IP is set in IP Filter settings.
So these are not at issue, instead... the problem is that it does not show up in the log.


So to explain further, my test is: My client from (nnn.nnn.nnn.nnn) is attempting to connect to the server which has that IP blocked in the filter.

My client is receiving 550 error. (Which it should).

However, the FZ server is not displaying the proper message in the log (on the screen). There is no indication that there was any attempt at a connection.

I believe that Error 550 is not properly being logged to the server.

PS... If there is not an IP block and client sends a bad password, I can see that in the server log as Error 530:
(But error 550 is not showing for IP blocked client attempts).
Last edited by Macktek on 2016-04-29 18:41, edited 1 time in total.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Server not logging: error 550

#4 Post by botg » 2016-04-29 18:40

Confirmed, that's indeed a bug.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Server not logging: error 550

#5 Post by botg » 2016-04-30 15:53

On closer inspection, it turns out this has been intentional.

Assume there's a misbehaving client that tries to login a hundred times each second. If you block it, you also want to get rid of the log spam as well.

User avatar
boco
Contributor
Posts: 26913
Joined: 2006-05-01 03:28
Location: Germany

Re: Server not logging: error 550

#6 Post by boco » 2016-05-01 00:12

Couldn't you just display the first 550 in the log normally, and then something like:

"IP <IP> has been blocked, further connection attempts won't be logged."

Keeps the admin informed and gets rid of the log spam as well.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Server not logging: error 550

#7 Post by botg » 2016-05-01 07:48

No, would need to remember which blocked IPs have connected. In case of IPv6 there are billions upon billions of addresses every single host could use.

User avatar
boco
Contributor
Posts: 26913
Joined: 2006-05-01 03:28
Location: Germany

Re: Server not logging: error 550

#8 Post by boco » 2016-05-02 00:35

With IPv6, you don't block by individual addresses, but by prefix. Blocking individual IPv6 IPs is pretty pointless.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

Macktek
550 File not found
Posts: 33
Joined: 2016-03-03 19:04
First name: Mack

Re: Server not logging: error 550

#9 Post by Macktek » 2016-05-02 04:58

Are you guys seriously NOT logging potential security threats simply because it might be a broken client?
We need this info ... so we can block it at a higher level.

"lack of logging" is a huge security hole.
The server needs a LOG so that it can detect hack attempts.
Intentionally leaving this is basically like saying: "Please hack my server as much as you want, because no one is logging your attempts".

It is also not acceptable to say that it was intentional in case of potential misbehaving client.

Of course that needs to be logged so we can address that too.

I am becoming very concerned about this type of thought process... its illogical and counter to security interests.

Leaving this in FZ is basically... allowing unlimited spoof attempts.
Please do not leave this as is. At a minimum allow the server admin to turn it on or off.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Server not logging: error 550

#10 Post by botg » 2016-05-02 06:38

boco wrote:With IPv6, you don't block by individual addresses, but by prefix. Blocking individual IPv6 IPs is pretty pointless.
But which prefix? /48? /56? /64?

How about filtering for machines within your own network?
"lack of logging" is a huge security hole.
The server needs a LOG so that it can detect hack attempts.
Intentionally leaving this is basically like saying: "Please hack my server as much as you want, because no one is logging your attempts".
IP blocks have little to do with security, they are all about dealing with nuisances.

Security comes from using FTP over TLS coupled with long passwords.

User avatar
boco
Contributor
Posts: 26913
Joined: 2006-05-01 03:28
Location: Germany

Re: Server not logging: error 550

#11 Post by boco » 2016-05-02 07:22

But which prefix? /48? /56? /64?
/64, for playing safe.
How about filtering for machines within your own network?
Why should I do that? For local network, banning by MAC would probably be better. I know, MACs can be spoofed. As can IPs. :|
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Server not logging: error 550

#12 Post by botg » 2016-05-02 09:09

boco wrote:For local network, banning by MAC would probably be better.
MAC address information simply isn't available to normal programs.
I know, MACs can be spoofed. As can IPs. :|
This is why IP blocking isn't a security measure, it is trivially circumvented.

Macktek
550 File not found
Posts: 33
Joined: 2016-03-03 19:04
First name: Mack

Re: Server not logging: error 550

#13 Post by Macktek » 2016-05-02 15:55

Its not about how it can be trivially done.
Its about logging the attempts so we know it is happening. And yes, it is a security risk to not know if multiple attempts are occurring.
I can only think of one reason to blind the server to incoming IP spoof attempts, and that really concerns me.
This lack of logging would definitely mean that FZ is not secure because we can't see the hack attempts.

The fact that you can block IP means that it is functional. It has a purpose.
The fact that you are not logging these attempts means you are turning a blind eye.

I should not have to be debating the merits of proper logging here.
Its an error. Errors are supposed to be logged.
It needs to be logged. Period.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Server not logging: error 550

#14 Post by botg » 2016-05-02 16:53

I can only think of one reason to blind the server to incoming IP spoof attempts, and that really concerns me.
You cannot distinguish between a spoofed connection attempt and a connection from the legitimate address owner. They look the same.

To detect failed spoof attempts (as opposed to a successful spoof) you need to go onto a lower level and look at failed TCP handshakes. Note that a) failed spoof attempts looks exactly the same as ordinary handshake timeouts, e.g. due to ordinary packet loss and b) spoofing addresses is no magic, with the right tools it succeeds on the first try so there won't even any failed attempts.
The fact that you can block IP means that it is functional. It has a purpose.
The fact that you are not logging these attempts means you are turning a blind eye.
What is the benefit of knowing that a connection attempt from a blocked IP has been blocked? It does not carry information. It is just added noise that makes it easier to miss the really important log data.

Macktek
550 File not found
Posts: 33
Joined: 2016-03-03 19:04
First name: Mack

Re: Server not logging: error 550

#15 Post by Macktek » 2016-05-02 19:44

Let's take the example of an FZ server hosting sensitive documents. These documents are shared by say 5 legal offices in a secure folder on a server and accessed via FTP.

One layer of protection is of course the Password.

A second layer of protection is the IP. The legal offices are connecting from static IP's that are known.

Therefore, in the FZ IP Filter we have placed "*" to block all connections from all IP.
And in the white list, we add 5 distinct IP.

Obviously, its not perfect... but it does help prevent access in some ways. Its a 2nd layer of protection.

Here's the security reason:
When a person attempts to connect from an IP that is blocked, they see error 550.
So, if they are somewhat savvy they can iterate thru blocks of IP until they get one that is "ok".
By preventing the log from seeing this, we cannot detect that kind of attack.

What is needed is:
A log notation so we can see such brute force attempts.

If you are wondering how that helps... if we see brute force attempts then it is a strong indicator that we need to change the FZ password sooner than usual.
And possibly take further action depending on how often these attempts are made.

Ideally, there ought to be a security plugin too... so that an email alert or other method could be sent to the admin to notify that multiple blocked IPs were detected.

Post Reply