Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.
Moderator: Project members
-
Server Tinker
- 504 Command not implemented
- Posts: 6
- Joined: 2009-01-13 20:52
- First name: Server
- Last name: Tinker
#1
Post
by Server Tinker » 2009-01-21 22:00
I have a problem regarding to the Autoban and SSL/TLS-Connections.
Today I have taken a look into my LOG-Files and found out that someone tried to log-in multiple times using an user name ADMINISTRATOR. I have set up Filezilla Server that I force a SSL/TLS-Connection, this is what Filezilla replied to all tries.
Furthermore I have set up the server to enable Autoban after five failed log-ins for 24 hours. But this does not work in that case. I do not know what is the reason for this behaviour.
Enclosed an abstract of my LOG-File.
Code: Select all
...
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
...
-
botg
- Site Admin
- Posts: 35566
- Joined: 2004-02-23 20:49
- First name: Tim
- Last name: Kosse
#2
Post
by botg » 2009-01-21 22:33
User did not actually try to log on. No PASS after a successful USER.
-
Server Tinker
- 504 Command not implemented
- Posts: 6
- Joined: 2009-01-13 20:52
- First name: Server
- Last name: Tinker
#3
Post
by Server Tinker » 2009-01-22 06:23
This is what I thought too but hoped I was wrong.
Is there a possibility to ban this kind of tries to log-in too?
-
botg
- Site Admin
- Posts: 35566
- Joined: 2004-02-23 20:49
- First name: Tim
- Last name: Kosse
#4
Post
by botg » 2009-01-22 08:29
Manually, yes.
-
da chicken
- 226 Transfer OK
- Posts: 619
- Joined: 2005-11-02 06:41
#5
Post
by da chicken » 2009-01-27 14:14
Additionally, you should also not have any user account in FileZilla Server named 'administrator'. Some idiot is trying to access your FTP server as if it were IIS. If there's no user named 'administrator' configured in the FileZilla Server Interface, this moron will never gain access.
If you wish, you could configure your gateway or router to drop connections from this IP address (preferred) or add the IP address to the deny list in the FileZilla Server Interface (probably won't work if your server is behind NAT).
-
Server Tinker
- 504 Command not implemented
- Posts: 6
- Joined: 2009-01-13 20:52
- First name: Server
- Last name: Tinker
#6
Post
by Server Tinker » 2009-01-29 06:46
Of course there are no accounts like admin, administrator, root etc. and I always force a TLS/SSL connection.
I am not so happy with the solution to block the IP at the router because some of these IP look like if they are hijacked. My FTP-server is behind an NAT.
-
da chicken
- 226 Transfer OK
- Posts: 619
- Joined: 2005-11-02 06:41
#7
Post
by da chicken » 2009-02-03 19:40
Server Tinker wrote:Code: Select all
...
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
...
Botg:
By the timestamps there appears to be no tarpitting at all for failed login attempts. This means the server is susceptible to a DoS because of enforcing explicit TLS.
-
botg
- Site Admin
- Posts: 35566
- Joined: 2004-02-23 20:49
- First name: Tim
- Last name: Kosse
#8
Post
by botg » 2009-02-03 21:35
By the timestamps there appears to be no tarpitting at all for failed login attempts.
Because it is not a login attempt. Even if he tries till all eternity, he cannot get in this way, even if he would guess the correct password.
-
da chicken
- 226 Transfer OK
- Posts: 619
- Joined: 2005-11-02 06:41
#9
Post
by da chicken » 2009-02-03 21:52
Yes, but it'll still allow you to DoS the server.
-
botg
- Site Admin
- Posts: 35566
- Joined: 2004-02-23 20:49
- First name: Tim
- Last name: Kosse
#10
Post
by botg » 2009-02-03 22:35
Send a gazillion useless UDP packets. Same result.