Advice/Help sought for log entries as a result of a connection attempt by an unknown actor

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
snakethumper2
500 Command not understood
Posts: 3
Joined: 2021-11-24 03:14
First name: David
Last name: Every

Advice/Help sought for log entries as a result of a connection attempt by an unknown actor

#1 Post by snakethumper2 » 2023-03-27 22:53

I have an unknown person/actor attempting to log into my FTP Server. The server does a handshake then sends my certificate, then the session finishes gracefully. The log is saving every step but i dont know how to interpret what is happening and whether its dangerous I.E. is the attacker actually getting useful information or not? I can post the log but it contains (i assume) personal info relating to my FTP server. Any pointers or advice would be most welcome. I would like to understand this more so i know how to respond in future.

User avatar
boco
Contributor
Posts: 26910
Joined: 2006-05-01 03:28
Location: Germany

Re: Advice/Help sought for log entries as a result of a connection attempt by an unknown actor

#2 Post by boco » 2023-03-27 23:21

I have an unknown person/actor attempting to log into my FTP Server. The server does a handshake then sends my certificate, then the session finishes gracefully.
Then, that is not a login attempt, only a scan. A login attempt would be the client trying username and password combinations, which many do for user "Administrator".

The client is getting (apart from the server URL, IP, port, and the fact that an FTP server is listening at that address, information they already have at that point) your certificate (which is public and sent to every client) as well the negotiated ciphersuites, KEX algorithms etc. No files and directories until they manage to log in. Looks like they are scanning for vulnerabilities or the like.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

snakethumper2
500 Command not understood
Posts: 3
Joined: 2021-11-24 03:14
First name: David
Last name: Every

Re: Advice/Help sought for log entries as a result of a connection attempt by an unknown actor

#3 Post by snakethumper2 » 2023-03-28 00:31

ah i see, ok thanks that is very useful. I will ignore these and watch for user/pw attempts. I think the autoban function will come in handy on that front. I can't restrict IP ranges because the people that I DO want to access it change their IP's fairly regularly. Thanks heaps for the the advice.

User avatar
boco
Contributor
Posts: 26910
Joined: 2006-05-01 03:28
Location: Germany

Re: Advice/Help sought for log entries as a result of a connection attempt by an unknown actor

#4 Post by boco » 2023-03-28 01:20

Usually they want to find running instances of MS' IIS FTP server. Guess why...
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

Post Reply