FTP being attacked?

Discussion in 'Networking & Security' started by apopleptic, Aug 25, 2018.

  1. apopleptic

    apopleptic Limp Gawd

    Messages:
    331
    Joined:
    Jun 6, 2013
    Hey, I recently restarted my FTP to send files to my family easier. Since the second day I put it up I started to see some suspicious stuff in the log.
    Looks like this stuff, coming from all different IP addresses.
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Connected on port 21, sending welcome message...
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 220 Welcome to the server
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> REMOTE HI_SRDK_DEV_GetHddInfo MCTP/1.0
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> CSeq:90
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Accept:text/HDP
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Content-Type:text/HDP
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Func-Version:0x10
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Content-Length:15
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> Segment-Num:0
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> 500 Syntax error, command unrecognized.
    (000046) 8/13/2018 0:30:29 AM - (not logged in) (69.120.18.12)> disconnected.


    I just blocked all IP addresses and just added my sister as allowed, any other suggestions?
     
  2. extide

    extide 2[H]4U

    Messages:
    3,234
    Joined:
    Dec 19, 2008
    Looks like a generic script or attack -- just someone scanning IP's -- probably not someone targeting you specifically. Allowing just her IP is fine here.
     
    FNtastic likes this.
  3. Mr. Baz

    Mr. Baz 2[H]4U

    Messages:
    2,813
    Joined:
    Aug 17, 2001
    SFTP using certs.
     
  4. IdiotInCharge

    IdiotInCharge Not the Idiot YOU are Looking for

    Messages:
    8,079
    Joined:
    Jun 13, 2003
    like seriously

    I wouldn't use FTP behind several firewalls. On the edge? Do you want your data stolen?
     
    Mr. Baz likes this.
  5. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,301
    Joined:
    Nov 4, 2005
    FTP is not a thing anymore
     
    mwarps likes this.
  6. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    2,039
    Joined:
    Nov 16, 2009
    Sftp is SSH. You mean ftpS (ftp over SSL), which is what I use if FTP is required. Only behind an IP white-list though.
     
  7. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,301
    Joined:
    Nov 4, 2005
    Why can't he mean SFTP?
     
  8. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    2,039
    Joined:
    Nov 16, 2009
    Because he said FTP with a cert. Sftp is using SSH, not a cert.... They are 2 completely different protocols for securing the tunnel, and using the wrong abbreviation will just cause confusion.
     
  9. toast0

    toast0 Gawd

    Messages:
    869
    Joined:
    Jan 26, 2010
    That request looks like someone trying an exploit against DVRs, which the internet says usually runs on port 9000; I have no idea why they would try that port 21, but I guess might as well try everything on all the ports?

    The reality of today's internet is if you listen on a port, people are going to come and try all the exploits ever on it. Filtering by IPs is nice if you can do it.
     
  10. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,301
    Joined:
    Nov 4, 2005
    he said SFTP with a cert, and you can absolutely use SFTP (SSH) with a user cert (key) instead of username/password... so his statement is still completely valid

    you're thinking of SSL certs
     
    FNtastic likes this.
  11. extide

    extide 2[H]4U

    Messages:
    3,234
    Joined:
    Dec 19, 2008
    SSH user keys are not certs, though.
     
  12. grasshoppa

    grasshoppa [H]ard|Gawd

    Messages:
    1,928
    Joined:
    Jun 18, 2017
    Uh..yes they are.
     
    goodcooper likes this.
  13. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    2,039
    Joined:
    Nov 16, 2009
  14. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,153
    Joined:
    Mar 4, 2013
    If both yours and your sister's edge devices are capable of it, set up a hardware vpn between the two devices.
     
  15. acascianelli

    acascianelli [H]ardness Supreme

    Messages:
    6,739
    Joined:
    Feb 25, 2004
    Yea I know that technically whitelisting the IP in the firewall or FTP software is nearly good enough, it is an incredibly bad idea to promote this type of bandaid type fix to keep an internet facing FTP server running.

    Replace that FTP service with SFTP or FTPS. I prefer SFTP because OpenSSL and FTPS are piles of garbage, but either of them will be better than regular unencrypted FTP.
     
    extide likes this.
  16. tedych

    tedych Limp Gawd

    Messages:
    135
    Joined:
    Jan 18, 2013
    And both measures only protect you from someone "in the middle" seeing your otherwise unencrypted plain text password while you are logging in.
    The "attacks" in question are regular internet noise and you should get used to that, given your FTP server software is not (too) buggy to allow some vulnerability to be exploited.
    All you can do if you want your server to be accessible from arbitrary locations is to update it regularly and using a non standard port. And of course using SFTP or FTPS.
     
  17. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,301
    Joined:
    Nov 4, 2005
    good firewall software or ftp software could also ban users after too many failed login attempts

    you could also ban some typical overseas ip blocks and get rid of a lot of noise as well, as long as you don't need chinese, russian, or malaysian people to be able to log on to your FTP