Autoban and forced SSL/TLS?

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
Server Tinker
504 Command not implemented
Posts: 6
Joined: 2009-01-13 20:52
First name: Server
Last name: Tinker

Autoban and forced SSL/TLS?

#1 Post by Server Tinker » 2009-01-21 22:00

I have a problem regarding to the Autoban and SSL/TLS-Connections.
Today I have taken a look into my LOG-Files and found out that someone tried to log-in multiple times using an user name ADMINISTRATOR. I have set up Filezilla Server that I force a SSL/TLS-Connection, this is what Filezilla replied to all tries.

Furthermore I have set up the server to enable Autoban after five failed log-ins for 24 hours. But this does not work in that case. I do not know what is the reason for this behaviour.

Enclosed an abstract of my LOG-File.

Code: Select all

...
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
...

User avatar
botg
Site Admin
Posts: 32372
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Autoban and forced SSL/TLS?

#2 Post by botg » 2009-01-21 22:33

User did not actually try to log on. No PASS after a successful USER.

Server Tinker
504 Command not implemented
Posts: 6
Joined: 2009-01-13 20:52
First name: Server
Last name: Tinker

Re: Autoban and forced SSL/TLS?

#3 Post by Server Tinker » 2009-01-22 06:23

This is what I thought too but hoped I was wrong. :-(
Is there a possibility to ban this kind of tries to log-in too?

User avatar
botg
Site Admin
Posts: 32372
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Autoban and forced SSL/TLS?

#4 Post by botg » 2009-01-22 08:29

Manually, yes.

da chicken
226 Transfer OK
Posts: 619
Joined: 2005-11-02 06:41

Re: Autoban and forced SSL/TLS?

#5 Post by da chicken » 2009-01-27 14:14

Additionally, you should also not have any user account in FileZilla Server named 'administrator'. Some idiot is trying to access your FTP server as if it were IIS. If there's no user named 'administrator' configured in the FileZilla Server Interface, this moron will never gain access.

If you wish, you could configure your gateway or router to drop connections from this IP address (preferred) or add the IP address to the deny list in the FileZilla Server Interface (probably won't work if your server is behind NAT).

Server Tinker
504 Command not implemented
Posts: 6
Joined: 2009-01-13 20:52
First name: Server
Last name: Tinker

Re: Autoban and forced SSL/TLS?

#6 Post by Server Tinker » 2009-01-29 06:46

Of course there are no accounts like admin, administrator, root etc. and I always force a TLS/SSL connection.
I am not so happy with the solution to block the IP at the router because some of these IP look like if they are hijacked. My FTP-server is behind an NAT.

da chicken
226 Transfer OK
Posts: 619
Joined: 2005-11-02 06:41

Re: Autoban and forced SSL/TLS?

#7 Post by da chicken » 2009-02-03 19:40

Server Tinker wrote:

Code: Select all

...
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
...
Botg:

By the timestamps there appears to be no tarpitting at all for failed login attempts. This means the server is susceptible to a DoS because of enforcing explicit TLS.

User avatar
botg
Site Admin
Posts: 32372
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Autoban and forced SSL/TLS?

#8 Post by botg » 2009-02-03 21:35

By the timestamps there appears to be no tarpitting at all for failed login attempts.
Because it is not a login attempt. Even if he tries till all eternity, he cannot get in this way, even if he would guess the correct password.

da chicken
226 Transfer OK
Posts: 619
Joined: 2005-11-02 06:41

Re: Autoban and forced SSL/TLS?

#9 Post by da chicken » 2009-02-03 21:52

Yes, but it'll still allow you to DoS the server.

User avatar
botg
Site Admin
Posts: 32372
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Autoban and forced SSL/TLS?

#10 Post by botg » 2009-02-03 22:35

Send a gazillion useless UDP packets. Same result.

Post Reply