FileZilla Forums

I have an unknown person/actor attempting to log into my FTP Server. The server does a handshake then sends my certificate, then the session finishes gracefully. The log is saving every step but i dont know how to interpret what is happening and whether its dangerous I.E. is the attacker actually getting useful information or not? I can post the log but it contains (i assume) personal info relating to my FTP server. Any pointers or advice would be most welcome. I would like to understand this more so i know how to respond in future.

I have an unknown person/actor attempting to log into my FTP Server. The server does a handshake then sends my certificate, then the session finishes gracefully.

Then, that is not a login attempt, only a scan. A login attempt would be the client trying username and password combinations, which many do for user "Administrator".

The client is getting (apart from the server URL, IP, port, and the fact that an FTP server is listening at that address, information they already have at that point) your certificate (which is public and sent to every client) as well the negotiated ciphersuites, KEX algorithms etc. No files and directories until they manage to log in. Looks like they are scanning for vulnerabilities or the like.

ah i see, ok thanks that is very useful. I will ignore these and watch for user/pw attempts. I think the autoban function will come in handy on that front. I can't restrict IP ranges because the people that I DO want to access it change their IP's fairly regularly. Thanks heaps for the the advice.

Usually they want to find running instances of MS' IIS FTP server. Guess why...