Solved

Someone tried to access my Filezilla FTP server!  What should I do??

Posted on 2010-09-08
28
939 Views
Last Modified: 2013-12-02
Ok, I am freaked out.  I set up a Filezilla server so me and a couple friends can access my music collection from work.  The log was open and someone was trying to figure out the password of my users!  I have no idea how this happened.  It's only been up a few days.  It's behind a firewall and it's running on Win 7.

Could my IP have been scanned even though I am using a private 192.168.x.x address?

What can I do to secure this so that it's hidden from anyone but who I give a username and password to?
0
Comment
Question by:svillardi
  • 10
  • 9
  • 7
  • +2
28 Comments
 
LVL 9

Accepted Solution

by:
rfportilla earned 500 total points
ID: 33633282
Ports are scanned all of the time, especially the common ones.  The private address only has meaning if it is not exposed to the Internet at all.  If the server (yes, Windows 7 is acting as a server in this case) is available from the Internet, it will have a public Internet address.  

There are better, more secure options than ftp.  Here are a few things I would consider.

1. FTP is not secure, I would consider using a different type of server such as sftp.  I think Filezilla supports this.
2. If your users do not need to upload stuff, don't give them the ability to.  This way, even if someone was able to get a password, they would just be able to download your music, nothing more.  If the files are only for download, you can also host as http.
3. Generally, I try to change my ports to non-standard ports.  FTP uses ports 21 and 20.  If you are not hosting this yourself, you may not be able to change it, but it is worth mentioning.  Just checked, Filezilla supports this.
4. As with all passwords, make sure passwords are complex, at least 8 characters, includes at least 1 capital letter and a number.  It's not too much to ask for.  In higher security installations, this can be a minimum of 12 with mandatory change every 30 days.
5. If you are so inclined, a real techie solution might be to use linux to host you sftp and use certificates for authentication with no passwords.  This is a little more advanced, though.

Let me know if any of this helps.

 
0
 
LVL 20

Expert Comment

by:wolfcamel
ID: 33633310
your internet IP would have been scanned and found that port 21 was open, then they would hit port 21 and try to guess username and password.

Not a lot you can do, advice above is all legit..but as soon as you open up anything (even with passwords, security, certificates) people will try to connect/hack.
You really just have to trust/check the products and methods you put in place.
Nearly all my clients get between 50 and 500 hack attempts per day
0
 
LVL 35

Expert Comment

by:mccarl
ID: 33633316
First to answer your questions...

>> Could my IP have been scanned even though I am using a private 192.168.x.x address?

Yes, because even though your FTP server may be on a private address, you must have opened a port on your firewall and forwarded it through to your FTP server. How else would YOU be accessing from your work if you didn't do this. So yes, someone may have scanned your public IP address and found the port that forwards to your FTP server.

>> What can I do to secure this so that it's hidden from anyone but who I give a username and password to?

You can't!! If you can access an open port from the internet, basically anyone can. You could potentially setup rules in your firewall to only allow incoming requests for that port from an IP address (or range of IP's) that you are on at work, but if your work accesses the net via a dynamic address, or your work changes your address, etc you would lose your access.


What I would suggest is...

1. Use strong passwords; if the passwords that you and your friends log on with are complex and hard to guess/stumble across then you should have much of a problem.
2. Don't use FTP; or at least don't use FTP over normal ports/connections. You could setup a SSH tunnel between your work computer and the where the FTP server is and tunnel traffic over that, or use SFTP over that, etc.
0
 

Author Comment

by:svillardi
ID: 33633320
1.  I could research how to set sftp up, but I don't know how to tell my friends about the client side.  They are using IE with a username and a complex password.
2.  They are set to read only and they only have access to the shared Music directory.
3.  Are any specific ports suggested?  This is on my home network, so I can do anything I want to it.
4.  Already done, but it doesn't stop someone from finding the FTP site, which is my main concern.
5.  I could probably set up a linux VM on it.  But I don't really know what software to use.  I'm not a Linux guru by any stretch of the imagination, so I would need step by step.

Thanks for the quick reply!
0
 

Author Comment

by:svillardi
ID: 33633435
OK, so I made my server (win7) secure by changing the service acct.  Now, do I have to change any permissions on the Music folder itself?  Like adding this new service account to it?

I can't access it anymore to test the port changes!  I changed the firewall to forward the new port to the server's internal IP.

Thanks for all the help.
0
 
LVL 9

Expert Comment

by:rfportilla
ID: 33634376
?? Why did you change over the service acct??  This is something you do if you are worried about a virus or remote control hack.  This situation is not that.

1. SFTP is not difficult at all. Many ftp clients already support sftp, like filezilla.  You just have to tell them to switch the sftp setting.  I would seriously consider this.  Remember that ftp, no matter what port you set it at, is sending passwords as CLEAR text.  

2. The only file settings you probably need to change are going to be in Filezilla and I am guessing they will be related to the user name.  I doubt Filezilla is doing file level security or matching security with the OS.  In other words, look for Filezilla settings for the users you want to access stuff and make sure they are read only.

3. Regarding changing ports, Just pick some ports greater that 1024. In order to get this working, you need to change the setting in the Filezilla (s)ftp server and on your router.  Server first, then router.

4. Scratch the linux idea.  



0
 

Author Comment

by:svillardi
ID: 33635447
OK, I reinstalled FileZilla.  LOL!  This time I left the file security alone.

1.  I do not see references to SFTP within the program.  I do see "enable FTP over SSL", if that is what your suggesting.
2.  The users have strong passwords.
3.  Ports changed.
4.  OK.  LOL!

Now, how can I setup SFTP (I wiki'd this and came up with more than I expected)?  FTP over SSH, same thing?  I want to make sure we are talking apples-to-apples.
0
 

Author Comment

by:svillardi
ID: 33645198
Still trying to understand how to setup SFTP within FileZilla.  Both server and especially the client side, as non-techs will be d/l stuff.  I want to make it as easy as possible for them.

Thanks!!
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33646672
The Filezilla server does not support being a SFTP server.  It only supports FTP and FTPS (FTP SSL'ed).  FTPS is just as secure as SFTP, but it does have some of its own issues.

If your friends are using IE, they will not be able to use SFTP.  However there are clients (like the Filezilla client) that can use FTP, FTPS (FTP SSL'ed), or SFTP (a version of ssh ftp).

Although there could be others here is one way to setup a sftp server on Windows (it uses Cygwin, a Linux like environment that runs on Windows):

http://www.digitalmediaminute.com/article/1487/setting-up-a-sftp-server-on-windows

0
 

Author Comment

by:svillardi
ID: 33654123
Well, I decided that I would try and get Filezilla going properly, however, when I changed the listening port to something other than 21, even after forwarding that port on my router, it's not working.  I get the option to authenticate, but I get no ftp list.

The router said that the default was 20 and 21, however, on the Filezilla server side -- there seems to be only one place to change it and that was from 21, which I did.

I'm missing something, because if I put everything back to 21, it works.  I tried accessing it by specifying the new port in the browser as well (ftp://servername:12345), so that wasn't it either.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33655469
More than likely because your firewall is "snooping" port 21 to see what ports are going to be used for the data connection.

What type of firewall do you have?
0
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 500 total points
ID: 33655524
When you change the port, also change  the port just below.  

Quick question, when you change Filezilla to  the new port, are you chaning the outside port on your firewall also?  You need to do this.  Some firewalls will support port fowarding where the outside port is different than the inside port (sometimes called PAT).  WHen you connect from your client it must be on the new port.

Second, FTP actually uses to ports.  One is for sending commands, the other is for data.  THe first one, by default, is port 21.  The second is usually triggered open on port 20.  I don't know your router, but you may need to set up a "trigger" to open the second port or forward that one in addition.  The standard is that the second port is one below the first.  So if your first port is 1221, your second port will be 1220.  I think this might be your issue.

Let me try to recap steps here.

1. Change port setting on Filezilla, for ex. port 21 becomes port 1221 ( just an example, you can use a higher number if you like)

2. Change firewall settings to open port 1221 and forward to Win7 PC on port 1221

3. In addition, if this doesn't work as is, check if your router has a trigger option to open a second port.  If not, also forward your new port - 1.  So, also forward port 1220 to your Win7 PC.  

Just out of curiousity, what kind of router do you have?  It might help to figure out the right configuration, just in case this doesn't work...
0
 

Author Comment

by:svillardi
ID: 33655564
I have a Netgear WNR2000.  I tried changing the port similar to what you did, 1220 and 1221, but it didn't work.

Port triggering is available, but not setup on the router, and, if I put the port to the standard 20-21, it works fine without it.  So logically, this shouldn't be required, right?

Shouldn't there be a setting which changes port 20 on the Filezilla Server too?  All I can find is the change to port 21.

Thanks for the assistance.
0
 
LVL 9

Expert Comment

by:rfportilla
ID: 33655593
The trigger is required.  I used to use Netgear and I seem to remember that they have an FTP setting.  When you tell the router to support FTP, it automatically opens ftp port 21 and creates a trigger to open 20 when someone connects to port 21.  It is considered more secure.  In other words, port 20 is only open when someone connects to port 21.

The trigger is required when you reconfigure the ports.  I will use port 1221 for my example.  On the router, you need to open port 1221 and forward to your PC.  Then, setup a trigger with the port 1221 to open port 1220.

Regarding setting only one port, Filezilla will automatically choose the other port  by subtracting one from the port you choose.  For ex. if you choose port 1221, the other port will be 1220.  You don't have to configure this.

Here is the manual for your router if you need some further reading on configuring your router.
ftp://downloads.netgear.com/files/WNR2000_UM_24FEB09.pdf

0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 9

Expert Comment

by:rfportilla
ID: 33655598
In addition, as a previous person said, Filezilla does not support SFTP, I just downloaded it.  It support ftp over ssl which is good. However, when you set up users there is an option to require ssl for authentication.  Make sure you select that.  You can do that in group settings, too.  And I would make all of my users read only access.  There is no reason to do otherwise unless you want them to upload stuff.  
0
 

Author Comment

by:svillardi
ID: 33658124
Ok, none of this worked.  I opened the router and setup the trigger.

I get the authentication screen, where I enter a username and password and then the "page does not exist" pops up.

Any other ideas?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33659041
Connect to your ftp server with the command control port set to 1220.

Do a ls and see if you see a response that says PORT or PASV.

I don't think you want to setup a trigger for 1220.  There are two types of data transfer modes, active and passive.

When doing active the server actually connects to the client.  The client will tell the server what port is is listening on using the PORT command.  The server will connect FROM port 20 (that is port 20 is the source port) to the port that the client passed in the PORT command.  The client will expect a connection from the server from port 20.  Port 20 CANNOT be changed.

Now passive data transfers, the client connects back to the server for the data connection.  The server will tell the client what port it will listen on using PASV response.  The client will then connect to the port the server said it was using.



0
 

Author Comment

by:svillardi
ID: 33659264
This is what the log shows:
(000021) 9/12/2010 22:37:20 PM - (not logged in) (11.22.33.44)> Connected, sending welcome message...
(000021) 9/12/2010 22:37:20 PM - (not logged in) (11.22.33.44)> USER mruserguy
(000021) 9/12/2010 22:37:20 PM - (not logged in) (11.22.33.44)> 331 Password required for mruserguy
(000021) 9/12/2010 22:37:20 PM - (not logged in) (11.22.33.44)> PASS *********
(000021) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> 230 Logged on
(000021) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> CWD /
(000021) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> 250 CWD successful. "/" is current directory.
(000021) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> TYPE A
(000021) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> 200 Type set to A
(000021) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> PASV
(000021) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> 227 Entering Passive Mode (192,168,1,100,195,84)
(000021) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> disconnected.
(000022) 9/12/2010 22:37:20 PM - (not logged in) (11.22.33.44)> Connected, sending welcome message...
(000022) 9/12/2010 22:37:20 PM - (not logged in) (11.22.33.44)> USER mruserguy
(000022) 9/12/2010 22:37:20 PM - (not logged in) (11.22.33.44)> 331 Password required for mruserguy
(000022) 9/12/2010 22:37:20 PM - (not logged in) (11.22.33.44)> PASS *********
(000022) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> 230 Logged on
(000022) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> CWD /
(000022) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> 250 CWD successful. "/" is current directory.
(000022) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> TYPE A
(000022) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> 200 Type set to A
(000022) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> PASV
(000022) 9/12/2010 22:37:20 PM - mruserguy (11.22.33.44)> 227 Entering Passive Mode (192,168,1,100,195,85)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33660633
O.K.  The client is doing passive mode.

There are couple of things you can do:

1) Switch to SFTP.

2) Configure you firewall so that it treats port 1221 as FTP and it should start snooping and see the PASV commands.

3) Configure your ftp server so that it uses a specific range of ports for the data connection and code a rule in your firewall to allow that range inbound.

4) Configure your firewall to allow all high ports inbound to your server.

From a security point of view I have listed the options in the order of most secure to least secure.  However, even switching to  SFTP, if you use the standard port (22) you will be scanned, and you will see attempts to login.

The security risk of using standard FTP over port 21 is that everything is transmitted in clear text.  Which means somebody who has the access to do a packet capture on traffic to your FTP server or from a users FTP client, will be able to see the user-id and passwords.  Moving FTP to a port other than 21 does not change this.  Using SFTP or FTPS the user-id and password are encrypted, so somebody doing a packet capture can't see the user-id or password.





0
 
LVL 9

Expert Comment

by:rfportilla
ID: 33668528
I see we are going on two different paths here.  PASV mode might work, but some routers have trouble with it.  If you can get it to work on the new port, have at it.

Are you specifying the new port from the client?  I didn't see anything suggesting that you told the client the new port.  Otherwise the ftp client will continue to try to connect to port 21.  

@giltjr I think FTP over SSL (FTPS) is more appropriate here over SFTP b/c of what Filezilla will support.  It's basically the same idea.  Filezilla also has a setting to require SSL for authentication in the user setup screen.  This should also be a requirement.
0
 
LVL 9

Expert Comment

by:rfportilla
ID: 33668540
Depending on the client, the client may have to be specified differently.  In Internet Explorer, you type in ftp://servername:1221, if 1221 is your new port.  Most graphical ftp clients will have a separate box for the port.  If not, just enter servername:1221.  This usually works.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33670487
The only reason I suggested SFTP is because its typically easier than FTP over SSL when dealing with Firewalls.


But, back to the original issue of wanting to prevent somebody from trying to access the FTP server.  There is nothing you can really do about that.  Even if you change to using port 1221 instead of 21, somebody can still do a port scan and see you have something listening on port 1221 that prompts them for a user-id and password and try and logon.

The only way to  really prevent that is to know the IP address of all of your users and block all IP addresses inbound to your ftp server except for your users IP addresses.  If they do NOT have static IP addresses, then its impossible.
0
 

Author Comment

by:svillardi
ID: 33670911
OK, thanks for the continued support.  I finally got FTP to work, using a port other than 21.  In the Filezilla server app there is an interface regarding Passive connections.  While I had tried that before, the problem still existed.  Even with port triggering it still existed.  However.... FINALLY....  I spotted a post about port FORWARDING those ports as well, and it worked!

All the while I was using ftp://www.servername.com:12345.

@rfportilla:  I tried checking off using SSL, but didn't know how to specify in the client.

Still trying to solve this, but at least I am to the next step.  I'm happy at least this worked.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33671052
What client are  you using?

In Filezilla you need to define/setup a connection using Site Manager (click on File) to a server and specify that you want FTPES (FTP Explicit SSL).
0
 

Author Comment

by:svillardi
ID: 33672339
But can IE users still use this solution?  If so what do they have to do?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33672725
I will have to check, but I don't think IE supports FTP-SSL.

Remember using FTP-SSL does NOT prevent somebody from attempting to connect to your FTP server.  All SSL does is encrypt the traffic which prevents somebody from snooping on the session.
0
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 500 total points
ID: 33717224
Is this still going on?  I thought this was done already.  IE does not support FTP-SSL.  I would think the best thing is to have your friends just download the filezilla client.  
0
 
LVL 9

Expert Comment

by:rfportilla
ID: 33722731
Windows does not support ftp-s out of the box.  Another software would have to be downloaded

I am sure that there are other solutions out there, but they get much more difficult.  As long as you are only giving your users read access and using a different port, I think you will be fine.  

Cheers!
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are 192.168.1.0/24 and 192…
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now