Need help figuring out who's trying to hack my FTP server.



  • I have an ftp server behind my pfsense firewall, I used the pfsense gateway IP for my FTP server for I couldn't figure out how to get 1-1 natting with FTP working.
    The issue is that all connections to my ftp server looks like it's coming from my pfsense gateway IP not the actual source IP.
    Also pfsense reports in its logs that all connections to my ftp server is also from the gateway IP.
    Is there a way to log the true source so I can block that user/users?

    Regards.



  • afaik the only way to show real IPs is to disable the ftp helper



  • Shouldn't the firewall logs show the IP that is trying to connect to your FTP?  Do you have logging turned on for that rule?  It does in my pfSense.  I also used syslog to capture several days of traffic.



  • iirc the ftp proxy rule that is generated automagically behind the scenes has the logging flag set. This means you should see the connections in your firewalllogs (status>systemlogs, firewall). You can send them to a remote syslog server if you need to view a longer timeframe than the last XXX entries.

    I might be wrong though and can't test this currently. Can you check your logs and let me know if the connections are logged there?



  • When the hack attack starts i check the log files immediately on the website and I don't see any connections.  All i see is gateway connection to ftp server, nothing that show outside/port ftp to gateway.
    I'm turning on syslog server and start capturing the data see if it'll give me more details.
    the hacking has stopped yesterday for they couldn't figure out the password, they where use a brute force attack.  Luckily I'm running a pure-ftpd with mysql backend, so I don't have any standard usernames.
    they tried over 100,000 attempts to log in with the administrator login, they must have thought it was a windows box.
    this is the 3rd time this attack has happened in about 2 month.
    I'm assuming someone is blindly scanning for open ports and then initiating an attack.
    I'll keep you posted if it happens again.
    If anyone has any ideas i'd appreciate it.
    thanks



  • If you are under attack again use the packet capture from diagnostics>packet capture to download some of the traffic. You can then open it with wiresharp for further analysis.


Locked