FTP being attacked?

apopleptic

Limp Gawd
Joined
Jun 6, 2013
Messages
337
Hey, I recently restarted my FTP to send files to my family easier. Since the second day I put it up I started to see some suspicious stuff in the log.
Looks like this stuff, coming from all different IP addresses.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Connected on port 21, sending welcome message...
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 220 Welcome to the server
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> REMOTE HI_SRDK_DEV_GetHddInfo MCTP/1.0
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> CSeq:90
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Accept:text/HDP
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Content-Type:text/HDP
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Func-Version:0x10
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Content-Length:15
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Segment-Num:0
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
(000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> disconnected.


I just blocked all IP addresses and just added my sister as allowed, any other suggestions?
 

extide

2[H]4U
Joined
Dec 19, 2008
Messages
3,494
Looks like a generic script or attack -- just someone scanning IP's -- probably not someone targeting you specifically. Allowing just her IP is fine here.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
Why can't he mean SFTP?

Because he said FTP with a cert. Sftp is using SSH, not a cert.... They are 2 completely different protocols for securing the tunnel, and using the wrong abbreviation will just cause confusion.
 

toast0

[H]ard|Gawd
Joined
Jan 26, 2010
Messages
2,011
That request looks like someone trying an exploit against DVRs, which the internet says usually runs on port 9000; I have no idea why they would try that port 21, but I guess might as well try everything on all the ports?

The reality of today's internet is if you listen on a port, people are going to come and try all the exploits ever on it. Filtering by IPs is nice if you can do it.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,771
Because he said FTP with a cert. Sftp is using SSH, not a cert.... They are 2 completely different protocols for securing the tunnel, and using the wrong abbreviation will just cause confusion.
he said SFTP with a cert, and you can absolutely use SFTP (SSH) with a user cert (key) instead of username/password... so his statement is still completely valid

you're thinking of SSL certs
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
If both yours and your sister's edge devices are capable of it, set up a hardware vpn between the two devices.
 

Stugots

Supreme [H]ardness
Joined
Feb 25, 2004
Messages
6,987
Looks like a generic script or attack -- just someone scanning IP's -- probably not someone targeting you specifically. Allowing just her IP is fine here.

Yea I know that technically whitelisting the IP in the firewall or FTP software is nearly good enough, it is an incredibly bad idea to promote this type of bandaid type fix to keep an internet facing FTP server running.

Replace that FTP service with SFTP or FTPS. I prefer SFTP because OpenSSL and FTPS are piles of garbage, but either of them will be better than regular unencrypted FTP.
 

tedych

Limp Gawd
Joined
Jan 18, 2013
Messages
372
And both measures only protect you from someone "in the middle" seeing your otherwise unencrypted plain text password while you are logging in.
The "attacks" in question are regular internet noise and you should get used to that, given your FTP server software is not (too) buggy to allow some vulnerability to be exploited.
All you can do if you want your server to be accessible from arbitrary locations is to update it regularly and using a non standard port. And of course using SFTP or FTPS.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,771
good firewall software or ftp software could also ban users after too many failed login attempts

you could also ban some typical overseas ip blocks and get rid of a lot of noise as well, as long as you don't need chinese, russian, or malaysian people to be able to log on to your FTP
 
Top