Opened 16 years ago

Closed 8 years ago

#1434 closed Bug report (outdated)

Server Does Not Enforce Login Attempt Limit with SSL

Reported by: jguire1 Owned by:
Priority: normal Component: FileZilla Server
Keywords: Cc: jguire1, Tim Kosse
Component version: Operating system type:
Operating system version:

Description

I have autoban enabled for 5 failed login attempts. I also "Force SSL for user login". The autoban never fires because, I assume, users attempting login get the return error stating that SSL is required and the attempt is not counted into the autoban limit. This situation results in daily logs of up to 3MB in size due to repeated brute force attempts at login. It appears as if there is a program that kiddie hax0rs all over the world have available. I add address masks to the IP Filter as attempts are made, but new kiddies keep trying. I've filtered out most of China by now. Please see the attached log exerpt.

Attachments (1)

Excerpt from fzs-2008-08-09.log (2.4 KB ) - added by jguire1 16 years ago.
Excerpt from server log

Download all attachments as: .zip

Change History (6)

by jguire1, 16 years ago

Excerpt from server log

comment:1 by Tim Kosse, 16 years ago

Autoban will be removed in a future version of the server. That feature has been slapped on as a band-aid to pacify lots of clueless whiners, it does not serve any purpose. A long password is all you need to keep the server secure.

comment:2 by jguire1, 16 years ago

Yes, a long password is all that is needed to keep the server secure. Security is not the issue. By not having an autoban to handle this situation, the server sometimes gets banged with up to 6 login attempts per second for as long as 7 hours. Once a ban is placed, as I have been manually doing when I notice the activity, the attempts stop. The autoban is needed to halt partially effective DOS, not for security. If this were a one-time event, you would not have even heard from me. But this happens almost daily. If there is an alternative way of handling this situation automatically, please let me know. (I'm trying not to whine) :)

comment:3 by jguire1, 16 years ago

Yes, a long password is all that is needed to keep the server secure. Security is not the issue. By not having an autoban to handle this situation, the server sometimes gets banged with up to 6 login attempts per second for as long as 7 hours. Once a ban is placed, as I have been manually doing when I notice the activity, the attempts stop. The autoban is needed to halt partially effective DOS, not for security. If this were a one-time event, you would not have even heard from me. But this happens almost daily. If there is an alternative way of handling this situation automatically, please let me know. (I'm trying not to whine) :)

comment:4 by Kurt McKee, 8 years ago

Triage suggestion

FileZilla Server 0.9.60 still has an autoban feature. I have not attempted to confirm if "upgrade to SSL" attempts are still not counted toward the autoban limit. However, this ticket has not had any movement in nine years.

I suggest closing this ticket.

comment:5 by Kurt McKee, 8 years ago

Resolution: outdated
Status: newclosed
Note: See TracTickets for help on using tickets.