Autoban and forced SSL/TLS?

Message

Server Tinker · #1 Post by **Server Tinker** » 2009-01-21 22:00

I have a problem regarding to the Autoban and SSL/TLS-Connections.
Today I have taken a look into my LOG-Files and found out that someone tried to log-in multiple times using an user name ADMINISTRATOR. I have set up Filezilla Server that I force a SSL/TLS-Connection, this is what Filezilla replied to all tries.

Furthermore I have set up the server to enable Autoban after five failed log-ins for 24 hours. But this does not work in that case. I do not know what is the reason for this behaviour.

Enclosed an abstract of my LOG-File.

Code: Select all

...
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
...

#2 Post by **botg** » 2009-01-21 22:33

User did not actually try to log on. No PASS after a successful USER.

Server Tinker · #3 Post by **Server Tinker** » 2009-01-22 06:23

This is what I thought too but hoped I was wrong.

Is there a possibility to ban this kind of tries to log-in too?

#4 Post by **botg** » 2009-01-22 08:29

Manually, yes.

da chicken · #5 Post by **da chicken** » 2009-01-27 14:14

Additionally, you should also not have any user account in FileZilla Server named 'administrator'. Some idiot is trying to access your FTP server as if it were IIS. If there's no user named 'administrator' configured in the FileZilla Server Interface, this moron will never gain access.

If you wish, you could configure your gateway or router to drop connections from this IP address (preferred) or add the IP address to the deny list in the FileZilla Server Interface (probably won't work if your server is behind NAT).

Server Tinker · #6 Post by **Server Tinker** » 2009-01-29 06:46

Of course there are no accounts like admin, administrator, root etc. and I always force a TLS/SSL connection.
I am not so happy with the solution to block the IP at the router because some of these IP look like if they are hijacked. My FTP-server is behind an NAT.

da chicken · #7 Post by **da chicken** » 2009-02-03 19:40

Server Tinker wrote:

Code: Select all

...
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:40 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:41 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:42 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:43 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:44 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:45 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> USER Administrator
(000001) 21.01.2009 18:30:46 - (not logged in) (www.xxx.yyy.zzz)> 530 Have to use explicit SSL/TLS before logging on.
...

Botg:

By the timestamps there appears to be no tarpitting at all for failed login attempts. This means the server is susceptible to a DoS because of enforcing explicit TLS.

#8 Post by **botg** » 2009-02-03 21:35

By the timestamps there appears to be no tarpitting at all for failed login attempts.

Because it is not a login attempt. Even if he tries till all eternity, he cannot get in this way, even if he would guess the correct password.

da chicken · #9 Post by **da chicken** » 2009-02-03 21:52

Yes, but it'll still allow you to DoS the server.

#10 Post by **botg** » 2009-02-03 22:35

Send a gazillion useless UDP packets. Same result.

FileZilla Forums

Autoban and forced SSL/TLS?

Autoban and forced SSL/TLS?

Re: Autoban and forced SSL/TLS?

Re: Autoban and forced SSL/TLS?

Re: Autoban and forced SSL/TLS?

Re: Autoban and forced SSL/TLS?

Re: Autoban and forced SSL/TLS?

Re: Autoban and forced SSL/TLS?

Re: Autoban and forced SSL/TLS?

Re: Autoban and forced SSL/TLS?

Re: Autoban and forced SSL/TLS?