Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help figuring out who's trying to hack my FTP server.

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 4 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sjitan
      last edited by

      I have an ftp server behind my pfsense firewall, I used the pfsense gateway IP for my FTP server for I couldn't figure out how to get 1-1 natting with FTP working.
      The issue is that all connections to my ftp server looks like it's coming from my pfsense gateway IP not the actual source IP.
      Also pfsense reports in its logs that all connections to my ftp server is also from the gateway IP.
      Is there a way to log the true source so I can block that user/users?

      Regards.

      1 Reply Last reply Reply Quote 0
      • B
        bruno
        last edited by

        afaik the only way to show real IPs is to disable the ftp helper

        1 Reply Last reply Reply Quote 0
        • K
          kapara
          last edited by

          Shouldn't the firewall logs show the IP that is trying to connect to your FTP?  Do you have logging turned on for that rule?  It does in my pfSense.  I also used syslog to capture several days of traffic.

          Skype ID:  Marinhd

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            iirc the ftp proxy rule that is generated automagically behind the scenes has the logging flag set. This means you should see the connections in your firewalllogs (status>systemlogs, firewall). You can send them to a remote syslog server if you need to view a longer timeframe than the last XXX entries.

            I might be wrong though and can't test this currently. Can you check your logs and let me know if the connections are logged there?

            1 Reply Last reply Reply Quote 0
            • S
              sjitan
              last edited by

              When the hack attack starts i check the log files immediately on the website and I don't see any connections.  All i see is gateway connection to ftp server, nothing that show outside/port ftp to gateway.
              I'm turning on syslog server and start capturing the data see if it'll give me more details.
              the hacking has stopped yesterday for they couldn't figure out the password, they where use a brute force attack.  Luckily I'm running a pure-ftpd with mysql backend, so I don't have any standard usernames.
              they tried over 100,000 attempts to log in with the administrator login, they must have thought it was a windows box.
              this is the 3rd time this attack has happened in about 2 month.
              I'm assuming someone is blindly scanning for open ports and then initiating an attack.
              I'll keep you posted if it happens again.
              If anyone has any ideas i'd appreciate it.
              thanks

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                If you are under attack again use the packet capture from diagnostics>packet capture to download some of the traffic. You can then open it with wiresharp for further analysis.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.