Filezilla FTP Server - How can someone figure out what the accounts

[AndyD]

are on my server? I just noticed the same ip that I'm not familiar access different accounts. Is it really that easy to get user accounts from the app?

[PNWDweller]

AS far as I know you have to build the accounts and then give access.

[moloko]

yah you have to be able to give them accounts unless you man anonymous sign in account...make sure you do not have those. Your server should be able to see everyone that signed on.

[+BudMan MVC]

Yeah its fairly simple to try admin, root, testuser, billy, bobby, nobody, etc.. etc. They just run through the list trying random passwords as well.

Any ftp server you put on the net is going to see this noise.

What was this top secret username they found? - ftpuser? ;)

[n_K]

For some reason the last half of my lastb log has no usernames or passwords :s but here's part of it to compare with;

aachu ssh:notty 122.55.83.138 Mon Aug 6 17:34 - 17:34 (00:00)

sales ssh:notty 211.155.233.147 Sun Aug 5 16:29 - 16:29 (00:00)

staff ssh:notty 211.155.233.147 Sun Aug 5 16:29 - 16:29 (00:00)

root ssh:notty 213.229.93.218 Sun Aug 5 13:31 - 13:31 (00:00)

root ssh:notty 184.105.154.38 Sun Aug 5 09:44 - 09:44 (00:00)

aaron ssh:notty 211.144.158.130 Fri Aug 3 14:20 - 14:20 (00:00)

root ssh:notty 31.222.158.83 Fri Aug 3 10:12 - 10:12 (00:00)

uucps ssh:notty 176.10.238.79 Thu Aug 2 07:34 - 07:34 (00:00)

root ssh:notty 86.140.51.159 Wed Aug 1 08:29 - 08:29 (00:00)

root ssh:notty 115.144.181.19 Wed Aug 1 01:37 - 01:37 (00:00)

root ssh:notty 203.162.163.160 Tue Jul 31 03:13 - 03:13 (00:00)

root ssh:notty 195.22.8.226 Tue Jul 31 02:45 - 02:45 (00:00)

root ssh:notty 119.254.88.100 Mon Jul 30 20:49 - 20:49 (00:00)

dpnroot ssh:notty 210.14.64.88 Mon Jul 30 14:34 - 14:34 (00:00)

root ssh:notty 210.14.64.88 Mon Jul 30 14:34 - 14:34 (00:00)

root ssh:notty 66.135.61.57 Sun Jul 29 11:52 - 11:52 (00:00)

root ssh:notty 210.14.64.68 Sun Jul 29 07:42 - 07:42 (00:00)

root ssh:notty 94.23.72.122 Sun Jul 29 00:40 - 00:40 (00:00)

root ssh:notty 213.206.86.210 Sat Jul 28 12:06 - 12:06 (00:00)

bin ssh:notty 213.206.86.210 Sat Jul 28 12:06 - 12:06 (00:00)

[+BudMan MVC]

what? See plenty of usernames there - sales, staff, root.

Where did you pull those logs? Yeah they can go on for hundreds if not thousands of attempts from the same IP. Which is why you normally don't allow username password auth on something you want to secure - unless your going to lock it down to source IP.

my ssh server is locked to public key auth only. And sshguard kills them after 4 attempts anyway to keep the logs cleaner.

Oct  1 00:15:43 ubuntu sshguard[1219]: Blocking 200.141.223.78:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).
Oct  2 05:16:21 ubuntu sshguard[1219]: Blocking 211.155.229.103:4 for >630secs: 40 danger in 4 attacks over 1167 seconds (all: 40d in 1 abuses over 1167s).
Oct  2 10:37:04 ubuntu sshguard[1219]: Blocking 98.126.49.26:4 for >630secs: 40 danger in 4 attacks over 2 seconds (all: 40d in 1 abuses over 2s).
Oct  2 12:04:59 ubuntu sshguard[1219]: Blocking 211.144.158.130:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).
Oct  3 03:14:46 ubuntu sshguard[1219]: Blocking 187.5.66.12:4 for >630secs: 40 danger in 4 attacks over 39 seconds (all: 40d in 1 abuses over 39s).
Oct  3 15:34:39 ubuntu sshguard[1219]: Blocking 194.65.138.9:4 for >630secs: 40 danger in 4 attacks over 186 seconds (all: 40d in 1 abuses over 186s).
Oct  4 07:08:48 ubuntu sshguard[1219]: Blocking 210.118.169.5:4 for >630secs: 40 danger in 4 attacks over 26 seconds (all: 40d in 1 abuses over 26s).
Oct  4 08:24:41 ubuntu sshguard[1219]: Blocking 189.26.255.11:4 for >630secs: 40 danger in 4 attacks over 1 seconds (all: 40d in 1 abuses over 1s).
Oct  4 08:58:46 ubuntu sshguard[1219]: Blocking 91.205.189.15:4 for >630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses over 5s).
Oct  4 10:00:21 ubuntu sshguard[1219]: Blocking 201.83.151.207:4 for >630secs: 40 danger in 4 attacks over 171 seconds (all: 40d in 1 abuses over 171s).

[n_K]

My server :p

I've got sshguard on but it isn't actually active because the traffics redirected to SNORT instead and I still haven't worked out how to reinject certain SNORT packets back into iptables to sshguard :/ although SNORT does seem to block access for about 20 minutes if more than 2 connections in that time happen, again not really sure why it does that but I'm fine with it doing that haha.

[AndyD]

Budman, I'm probably just going to lock it down by ip. I don't see really another way of handling it since I do want to use username / passwords