Opened 16 years ago
Closed 7 years ago
#1434 closed Bug report (outdated)
Server Does Not Enforce Login Attempt Limit with SSL
| Reported by: | jguire1 | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | FileZilla Server |
| Keywords: | Cc: | jguire1, Tim Kosse | |
| Component version: | Operating system type: | ||
| Operating system version: |
Description
I have autoban enabled for 5 failed login attempts. I also "Force SSL for user login". The autoban never fires because, I assume, users attempting login get the return error stating that SSL is required and the attempt is not counted into the autoban limit. This situation results in daily logs of up to 3MB in size due to repeated brute force attempts at login. It appears as if there is a program that kiddie hax0rs all over the world have available. I add address masks to the IP Filter as attempts are made, but new kiddies keep trying. I've filtered out most of China by now. Please see the attached log exerpt.
Attachments (1)
Change History (6)
by , 16 years ago
| Attachment: | Excerpt from fzs-2008-08-09.log added |
|---|
comment:1 by , 16 years ago
Autoban will be removed in a future version of the server. That feature has been slapped on as a band-aid to pacify lots of clueless whiners, it does not serve any purpose. A long password is all you need to keep the server secure.
comment:2 by , 16 years ago
Yes, a long password is all that is needed to keep the server secure. Security is not the issue. By not having an autoban to handle this situation, the server sometimes gets banged with up to 6 login attempts per second for as long as 7 hours. Once a ban is placed, as I have been manually doing when I notice the activity, the attempts stop. The autoban is needed to halt partially effective DOS, not for security. If this were a one-time event, you would not have even heard from me. But this happens almost daily. If there is an alternative way of handling this situation automatically, please let me know. (I'm trying not to whine) :)
comment:3 by , 16 years ago
Yes, a long password is all that is needed to keep the server secure. Security is not the issue. By not having an autoban to handle this situation, the server sometimes gets banged with up to 6 login attempts per second for as long as 7 hours. Once a ban is placed, as I have been manually doing when I notice the activity, the attempts stop. The autoban is needed to halt partially effective DOS, not for security. If this were a one-time event, you would not have even heard from me. But this happens almost daily. If there is an alternative way of handling this situation automatically, please let me know. (I'm trying not to whine) :)
comment:4 by , 7 years ago
Triage suggestion
FileZilla Server 0.9.60 still has an autoban feature. I have not attempted to confirm if "upgrade to SSL" attempts are still not counted toward the autoban limit. However, this ticket has not had any movement in nine years.
I suggest closing this ticket.
comment:5 by , 7 years ago
| Resolution: | → outdated |
|---|---|
| Status: | new → closed |
Excerpt from server log