Page 1 of 1
Autoban and forced SSL/TLS?
Posted: 2009-01-21 22:00
by Server Tinker
I have a problem regarding to the Autoban and SSL/TLS-Connections.
Today I have taken a look into my LOG-Files and found out that someone tried to log-in multiple times using an user name ADMINISTRATOR. I have set up Filezilla Server that I force a SSL/TLS-Connection, this is what Filezilla replied to all tries.
Furthermore I have set up the server to enable Autoban after five failed log-ins for 24 hours. But this does not work in that case. I do not know what is the reason for this behaviour.
Enclosed an abstract of my LOG-File.
Code: Select all
...
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
...
Re: Autoban and forced SSL/TLS?
Posted: 2009-01-21 22:33
by botg
User did not actually try to log on. No PASS after a successful USER.
Re: Autoban and forced SSL/TLS?
Posted: 2009-01-22 06:23
by Server Tinker
This is what I thought too but hoped I was wrong.
Is there a possibility to ban this kind of tries to log-in too?
Re: Autoban and forced SSL/TLS?
Posted: 2009-01-22 08:29
by botg
Manually, yes.
Re: Autoban and forced SSL/TLS?
Posted: 2009-01-27 14:14
by da chicken
Additionally, you should also not have any user account in FileZilla Server named 'administrator'. Some idiot is trying to access your FTP server as if it were IIS. If there's no user named 'administrator' configured in the FileZilla Server Interface, this moron will never gain access.
If you wish, you could configure your gateway or router to drop connections from this IP address (preferred) or add the IP address to the deny list in the FileZilla Server Interface (probably won't work if your server is behind NAT).
Re: Autoban and forced SSL/TLS?
Posted: 2009-01-29 06:46
by Server Tinker
Of course there are no accounts like admin, administrator, root etc. and I always force a TLS/SSL connection.
I am not so happy with the solution to block the IP at the router because some of these IP look like if they are hijacked. My FTP-server is behind an NAT.
Re: Autoban and forced SSL/TLS?
Posted: 2009-02-03 19:40
by da chicken
Server Tinker wrote:Code: Select all
...
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
...
Botg:
By the timestamps there appears to be no tarpitting at all for failed login attempts. This means the server is susceptible to a DoS because of enforcing explicit TLS.
Re: Autoban and forced SSL/TLS?
Posted: 2009-02-03 21:35
by botg
By the timestamps there appears to be no tarpitting at all for failed login attempts.
Because it is not a login attempt. Even if he tries till all eternity, he cannot get in this way, even if he would guess the correct password.
Re: Autoban and forced SSL/TLS?
Posted: 2009-02-03 21:52
by da chicken
Yes, but it'll still allow you to DoS the server.
Re: Autoban and forced SSL/TLS?
Posted: 2009-02-03 22:35
by botg
Send a gazillion useless UDP packets. Same result.