Our tiny FTP site has been the subject of a constant brute force attack (botnet) for a few years, I started blocking network ranges to see if I could spot some pattern, I found (or at least assume) there are some control nodes in normally trusted locations like EU, US etc. that once the FTP is checked online then trigger attacks from compromised accounts in China, India etc.
Long story short I have millions of IP's blocked in FileZilla server and add new each week, I'd like to see what IP's are still actively trying and can't seem to understand if that is presented anywhwere?
In an ideal world I'd like some "Deny List" separate log so I can look for stale entries or spot the geographic location of new botnet deployments.
Oh and in case anyone asks how I know it is a botnet the connections follow a sequence, so connections come in turn, one attempt from each single IP address.
IP 1.1.1.1 - user/user2017
IP 1.1.1.2 - user/user2016
IP 1.1.1.3 - user/user2015
If I block enough IP's enventually it resets and tries combintations it has tried earlier, Oh and the biggest chunk of IP ranges blocked is from the far east.
Bri
Deny List?
Moderator: Project members
-
LifeOfBrian
- 504 Command not implemented
- Posts: 6
- Joined: 2018-01-18 09:24
- First name: Brian
Re: Deny List?
The trick is to use long passwords, then you can just ignore brute force attempts.
-
LifeOfBrian
- 504 Command not implemented
- Posts: 6
- Joined: 2018-01-18 09:24
- First name: Brian
Re: Deny List?
I do use long passwords but the logs get full of junk if I allow all connections, some are raw commands that fill a log screen.
I have very few legitimate users but they might be anywhere in the world so what I try to do is keep and eye on the service but is much harder if it's just scrolling chaff.
The software is useful to me so I give thanks for that and will continue to try and filter the connections (and resulting logs) as best I can.
Example of chaff that obscures the interesting entries (this ia after 25907221 IP addresses, mostly in /16 masks blocked).
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> Connected on port 21, sending welcome message...
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 4
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> (
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> ÿU
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> MSSQLServer
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> d!
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000317)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> Connected on port 21, sending welcome message...
(000317)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> CONNECT xui.ptlogin2.qq.com:443 HTTP/1.1
(000317)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000317)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> HOST: xui.ptlogin2.qq.com:443
(000317)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> Connected on port 21, sending welcome message...
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> Connected on port 21, sending welcome message...
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> à
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> œ
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> +<M
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> M
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:08 - (not logged in) (113.96.223.207)> disconnected.
(000317)18/01/2018 10:06:08 - (not logged in) (113.96.223.207)> disconnected.
I have very few legitimate users but they might be anywhere in the world so what I try to do is keep and eye on the service but is much harder if it's just scrolling chaff.
The software is useful to me so I give thanks for that and will continue to try and filter the connections (and resulting logs) as best I can.
Example of chaff that obscures the interesting entries (this ia after 25907221 IP addresses, mostly in /16 masks blocked).
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> Connected on port 21, sending welcome message...
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 4
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> (
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> ÿU
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> MSSQLServer
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> d!
(000316)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000317)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> Connected on port 21, sending welcome message...
(000317)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> CONNECT xui.ptlogin2.qq.com:443 HTTP/1.1
(000317)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000317)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> HOST: xui.ptlogin2.qq.com:443
(000317)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> Connected on port 21, sending welcome message...
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> Connected on port 21, sending welcome message...
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> à
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> œ
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> +<M
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000318)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> M
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)>
(000319)18/01/2018 10:06:07 - (not logged in) (113.96.223.207)> 500 Syntax error, command unrecognized.
(000316)18/01/2018 10:06:08 - (not logged in) (113.96.223.207)> disconnected.
(000317)18/01/2018 10:06:08 - (not logged in) (113.96.223.207)> disconnected.
Re: Deny List?
Have you considered a whitelist approach? Block everything by default and only allow known-good IP ranges.
-
LifeOfBrian
- 504 Command not implemented
- Posts: 6
- Joined: 2018-01-18 09:24
- First name: Brian
Re: Deny List?
Yes I have considered (more than a few times) it but it would slow down the support system, we often don't know where the customers will connect from, some use corporate satellite links and others temporary engineering bases in global locations, few if any will be able to quickly provide their possible IP ranges.
It's working OK currently, I was really trying to avoid having to be clever about the future "bad" subnets when the range is close to real customers.
So far I have not blocked any legitimate connections but eventually if people don't properly lock down up their cPanel/Webmin type authentications (a common bot source) I could end up permanently dropping 65k of addresses that are otherwise benign and not having any way to know if those addresses are still being used for the bots.
My hope is that the customers move on from 70's protocols before I block "everyone" from spite
It's working OK currently, I was really trying to avoid having to be clever about the future "bad" subnets when the range is close to real customers.
So far I have not blocked any legitimate connections but eventually if people don't properly lock down up their cPanel/Webmin type authentications (a common bot source) I could end up permanently dropping 65k of addresses that are otherwise benign and not having any way to know if those addresses are still being used for the bots.
My hope is that the customers move on from 70's protocols before I block "everyone" from spite
Re: Deny List?
Using a custom port other than 21* already prevents a large part of random drops. Port scanners are often configured to only scan default service ports.
*Port must be above 1024 as those first 1024 are reserved.
*Port must be above 1024 as those first 1024 are reserved.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
LifeOfBrian
- 504 Command not implemented
- Posts: 6
- Joined: 2018-01-18 09:24
- First name: Brian
Re: Deny List?
The only reason we run an FTP server is that customers, some on boats (via satellite links) have very restricted range of services, software for clients and ports, we have to be on standard port no.s and fixed IP address so their IT guys can open up the access.
If one customer can't do non-standard ports it makes it hard, most can't do non-standard ports.
I'm sounding like the "tried that didn't work!" guy, sorry
.
If one customer can't do non-standard ports it makes it hard, most can't do non-standard ports.
I'm sounding like the "tried that didn't work!" guy, sorry
.