FTP being attacked?

apopleptic

Limp Gawd
Joined
Jun 6, 2013
Messages
340
Hey, I recently restarted my FTP to send files to my family easier. Since the second day I put it up I started to see some suspicious stuff in the log.
Looks like this stuff, coming from all different IP addresses.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Connected on port 21, sending welcome message...
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 220 Welcome to the server
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> REMOTE HI_SRDK_DEV_GetHddInfo MCTP/1.0
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> CSeq:90
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Accept:text/HDP
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Content-Type:text/HDP
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Func-Version:0x10
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Content-Length:15
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Segment-Num:0
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> disconnected.


I just blocked all IP addresses and just added my sister as allowed, any other suggestions?
 
Looks like a generic script or attack -- just someone scanning IP's -- probably not someone targeting you specifically. Allowing just her IP is fine here.
 
Why can't he mean SFTP?

Because he said FTP with a cert. Sftp is using SSH, not a cert.... They are 2 completely different protocols for securing the tunnel, and using the wrong abbreviation will just cause confusion.
 
That request looks like someone trying an exploit against DVRs, which the internet says usually runs on port 9000; I have no idea why they would try that port 21, but I guess might as well try everything on all the ports?

The reality of today's internet is if you listen on a port, people are going to come and try all the exploits ever on it. Filtering by IPs is nice if you can do it.
 
Because he said FTP with a cert. Sftp is using SSH, not a cert.... They are 2 completely different protocols for securing the tunnel, and using the wrong abbreviation will just cause confusion.
he said SFTP with a cert, and you can absolutely use SFTP (SSH) with a user cert (key) instead of username/password... so his statement is still completely valid

you're thinking of SSL certs
 
If both yours and your sister's edge devices are capable of it, set up a hardware vpn between the two devices.
 
Looks like a generic script or attack -- just someone scanning IP's -- probably not someone targeting you specifically. Allowing just her IP is fine here.

Yea I know that technically whitelisting the IP in the firewall or FTP software is nearly good enough, it is an incredibly bad idea to promote this type of bandaid type fix to keep an internet facing FTP server running.

Replace that FTP service with SFTP or FTPS. I prefer SFTP because OpenSSL and FTPS are piles of garbage, but either of them will be better than regular unencrypted FTP.
 
And both measures only protect you from someone "in the middle" seeing your otherwise unencrypted plain text password while you are logging in.
The "attacks" in question are regular internet noise and you should get used to that, given your FTP server software is not (too) buggy to allow some vulnerability to be exploited.
All you can do if you want your server to be accessible from arbitrary locations is to update it regularly and using a non standard port. And of course using SFTP or FTPS.
 
good firewall software or ftp software could also ban users after too many failed login attempts

you could also ban some typical overseas ip blocks and get rid of a lot of noise as well, as long as you don't need chinese, russian, or malaysian people to be able to log on to your FTP
 
Back
Top