F5F Stay Refreshed Power Users Networks Attack on FileZilla FTP server detected.

Attack on FileZilla FTP server detected.

Attack on FileZilla FTP server detected.

L
LagMeter
Member
Find
236
10-31-2016, 07:43 AM
#1
Hi, I've got a small FileZilla FTP setup for family members to back up offsite. It's been running reliably for about eight years with minimal use. Recently, I noticed some suspicious traffic attempts that seem to be targeting the server. While it appears nothing has been successfully transmitted, I'm unsure about the next steps. I want to keep access open for new IPs and occasional phone use, so I don't want to restrict it too much. Any advice would be appreciated. Thanks!
Reply
Reply
L
LagMeter
10-31-2016, 07:43 AM #1

Hi, I've got a small FileZilla FTP setup for family members to back up offsite. It's been running reliably for about eight years with minimal use. Recently, I noticed some suspicious traffic attempts that seem to be targeting the server. While it appears nothing has been successfully transmitted, I'm unsure about the next steps. I want to keep access open for new IPs and occasional phone use, so I don't want to restrict it too much. Any advice would be appreciated. Thanks!

Reply
Reply
K
kenna9
Junior Member
Find
35
10-31-2016, 03:04 PM
#2
Initially avoid using ftp as it lacks security. Plain text passwords are exposed—steer clear. Opt for secure methods like scp or sshfs instead, which are safer and more difficult to breach.
Reply
Reply
K
kenna9
10-31-2016, 03:04 PM #2

Initially avoid using ftp as it lacks security. Plain text passwords are exposed—steer clear. Opt for secure methods like scp or sshfs instead, which are safer and more difficult to breach.

Reply
Reply
R
RVCA_SKATER
Member
Find
69
11-02-2016, 02:52 PM
#3
It's possible to restrict access to bigger networks rather than individual addresses, such as by whitelisting the networks AT&T lists for internet use. These lists can be accessed via sites like https://bgp.he.net. Just remember, as the previous poster suggested, avoid using FTP without SSL/TLS encryption.
Reply
Reply
R
RVCA_SKATER
11-02-2016, 02:52 PM #3

It's possible to restrict access to bigger networks rather than individual addresses, such as by whitelisting the networks AT&T lists for internet use. These lists can be accessed via sites like https://bgp.he.net. Just remember, as the previous poster suggested, avoid using FTP without SSL/TLS encryption.

Reply
Reply
O
OceanBear
Member
Find
103
11-05-2016, 12:37 AM
#4
Thank you for your input. Security isn't a top priority here because we only perform weekly backups in various locations. We've managed it successfully for eight years without issues. Obtaining an FTP certificate was challenging, so we didn't pursue it. The ongoing threats persist, but the same commands are repeatedly attempted from over 500 IP addresses, all flagged as unrecognized. SSHFS appears promising and could simplify things for our parents with a mounted drive. We don't reuse passwords across services, using unique 16-character random codes instead. From the attempted commands, it seems they're not targeting passwords directly but aiming to compromise the system or turn it into a bot. This likely explains why blocking one IP instantly triggers 500+ more. I've already blocked 438 IPs globally, and they appear to respond quickly as soon as I do. Next week, I'll explore the mounted drive options further. Appreciate your advice and support!
Reply
Reply
O
OceanBear
11-05-2016, 12:37 AM #4

Thank you for your input. Security isn't a top priority here because we only perform weekly backups in various locations. We've managed it successfully for eight years without issues. Obtaining an FTP certificate was challenging, so we didn't pursue it. The ongoing threats persist, but the same commands are repeatedly attempted from over 500 IP addresses, all flagged as unrecognized. SSHFS appears promising and could simplify things for our parents with a mounted drive. We don't reuse passwords across services, using unique 16-character random codes instead. From the attempted commands, it seems they're not targeting passwords directly but aiming to compromise the system or turn it into a bot. This likely explains why blocking one IP instantly triggers 500+ more. I've already blocked 438 IPs globally, and they appear to respond quickly as soon as I do. Next week, I'll explore the mounted drive options further. Appreciate your advice and support!

Reply
Reply
D
drawesome54
Member
Find
67
11-05-2016, 09:36 AM
#5
The FTP port is accessible to anyone, it will be examined, tested and manipulated by various tools worldwide. This is typical for any publicly available service, just keep in mind it may be targeted if an exploit exists for your software version. I wouldn't suggest using FTP due to its lack of security, though this depends on how important it is for the data being transmitted. You should also consider restricting firewall rules by IP address (static) or dynamically by DNS value, and use a service like no-ip to manage a dynamic IP provided by your ISP.
Reply
Reply
D
drawesome54
11-05-2016, 09:36 AM #5

The FTP port is accessible to anyone, it will be examined, tested and manipulated by various tools worldwide. This is typical for any publicly available service, just keep in mind it may be targeted if an exploit exists for your software version. I wouldn't suggest using FTP due to its lack of security, though this depends on how important it is for the data being transmitted. You should also consider restricting firewall rules by IP address (static) or dynamically by DNS value, and use a service like no-ip to manage a dynamic IP provided by your ISP.

Reply
Reply