More options for Autoban

[jf2go]

Do I have to configure 0.9.27 to tarpit? I am running this version and cannot see the effect of tarpitting in my logs. Here are excerpts from my log after more than an hour of consecutive attempts to crack my site. (I don't mind posting the IP since this idiot is hammering my site)

(019268) 9/8/2008 23:41:30 PM - (not logged in) (222.73.91.208)> 331 Password required for administrator
(019268) 9/8/2008 23:41:36 PM - (not logged in) (222.73.91.208)> USER Administrator
(019268) 9/8/2008 23:41:36 PM - (not logged in) (222.73.91.208)> 331 Password required for administrator
(019268) 9/8/2008 23:41:44 PM - (not logged in) (222.73.91.208)> PASS ****
(019268) 9/8/2008 23:41:44 PM - (not logged in) (222.73.91.208)> 530 Login or password incorrect!
(019268) 9/8/2008 23:42:02 PM - (not logged in) (222.73.91.208)> PASS ****
(019268) 9/8/2008 23:42:02 PM - (not logged in) (222.73.91.208)> 530 Login or password incorrect!
(019268) 9/8/2008 23:42:25 PM - (not logged in) (222.73.91.208)> 421 Login time exceeded. Closing control connection.
(019268) 9/8/2008 23:42:25 PM - (not logged in) (222.73.91.208)> disconnected.
(019269) 9/8/2008 23:42:26 PM - (not logged in) (222.73.91.208)> Connected, sending welcome message...
(019269) 9/8/2008 23:42:26 PM - (not logged in) (222.73.91.208)> 220-FileZilla Server version 0.9.27 beta
(019269) 9/8/2008 23:42:26 PM - (not logged in) (222.73.91.208)> 220 Connected to
(019269) 9/8/2008 23:42:31 PM - (not logged in) (222.73.91.208)> USER Administrator
(019269) 9/8/2008 23:42:31 PM - (not logged in) (222.73.91.208)> 331 Password required for administrator
(019269) 9/8/2008 23:42:37 PM - (not logged in) (222.73.91.208)> USER Administrator
(019269) 9/8/2008 23:42:37 PM - (not logged in) (222.73.91.208)> 331 Password required for administrator
(019269) 9/8/2008 23:42:45 PM - (not logged in) (222.73.91.208)> PASS ********
(019269) 9/8/2008 23:42:45 PM - (not logged in) (222.73.91.208)> 530 Login or password incorrect!
(019269) 9/8/2008 23:43:03 PM - (not logged in) (222.73.91.208)> PASS ********
(019269) 9/8/2008 23:43:03 PM - (not logged in) (222.73.91.208)> 530 Login or password incorrect!

*
*
*

(019340) 9/9/2008 0:55:39 AM - (not logged in) (222.73.91.208)> disconnected.
(019341) 9/9/2008 0:55:39 AM - (not logged in) (222.73.91.208)> Connected, sending welcome message...
(019341) 9/9/2008 0:55:39 AM - (not logged in) (222.73.91.208)> 220-FileZilla Server version 0.9.27 beta
(019341) 9/9/2008 0:55:39 AM - (not logged in) (222.73.91.208)> 220 Connected to
(019341) 9/9/2008 0:55:45 AM - (not logged in) (222.73.91.208)> USER Administrator
(019341) 9/9/2008 0:55:45 AM - (not logged in) (222.73.91.208)> 331 Password required for administrator
(019341) 9/9/2008 0:55:51 AM - (not logged in) (222.73.91.208)> USER Administrator
(019341) 9/9/2008 0:55:51 AM - (not logged in) (222.73.91.208)> 331 Password required for administrator
(019341) 9/9/2008 0:55:59 AM - (not logged in) (222.73.91.208)> PASS *******
(019341) 9/9/2008 0:55:59 AM - (not logged in) (222.73.91.208)> 530 Login or password incorrect!
(019341) 9/9/2008 0:56:17 AM - (not logged in) (222.73.91.208)> PASS *******
(019341) 9/9/2008 0:56:17 AM - (not logged in) (222.73.91.208)> 530 Login or password incorrect!
(019341) 9/9/2008 0:56:40 AM - (not logged in) (222.73.91.208)> 421 Login time exceeded. Closing control connection.
(019341) 9/9/2008 0:56:40 AM - (not logged in) (222.73.91.208)> disconnected.

This still looks like a few seconds per login attempt after an hour.

[da chicken]

The tar pit is only about 10 seconds, but that still limits you to less than 100,000 attempts daily. I'd like to be able to configure the tar pit timing, but beyond hunting through the code there's no way to do that.

If you've got wget for Windows installed, you can see the behavior by running this command over and over:
wget ftp://127.0.0.1/foo.txt --ftp-user=test --ftp-password=test

Or you can put it in a batch file, like so.
tartest.cmd:

Code: Select all

:a
wget ftp://127.0.0.1/foo.txt --ftp-user=test --ftp-password=test
goto a

You'll have to <Ctrl>-<C> to terminate that batch file.

The first 10 attempts should blow by in a second. After that they should slow down noticeably. Restart the server to make it forget that 127.0.0.1 is hammering your server if you need to.

In any case, as long as you don't do something stupid like have a user account called "administrator" you can't be hacked by this idiot.

[dajgtre]

I sincerely hope that the autoban feature stays. Although it is not the perfect solution for fending of hackers it is a solution. There have been several attempts of entering my server with these bruteforce attacks and when I didn't have the autoban turned it it would go on for a whole day resulting in the entire network slowing down. Without the autoban feature it would require me to sit here manually and to it which I am not always able to do.

I say leave it be and let it be optional.


I joined just to write this so I hope you can understand how deeply I believe that the autoban should remain.

/dajgtre

[da chicken]

That makes no sense. Last time I checked, under a brute force attack you get fewer connection attempts per minute with autoban off than you will with it on. This is because of the tarpitting that the server does automatically after 10 failed attempts with autoban off.

Do you have TLS enforced explicitly?

[dajgtre]

No, I haven't enabled the SSL/TLS support, should I?

My conclusion that the networked slowed down due to the attack might be wrong but this had happened twice so quite naturally I concluded that it had to do with the brute force attack. After enabling the autoban feature I never had this problem again.

/dajgtre

That makes no sense. Last time I checked, under a brute force attack you get fewer connection attempts per minute with autoban off than you will with it on. This is because of the tarpitting that the server does automatically after 10 failed attempts with autoban off.

Do you have TLS enforced explicitly?