While testing with the new release of Hydra against my own FTP server from FileZilla, I recognized that the autoban feature from FileZilla does not work for IPv6 connections. If there are multiple failed login attempts from an IPv4 address, FileZilla Server correctly blocks that IP. That is: Hydra stops testing passwords since it is not able to connect to the server anymore. However, when using IPv6, the FileZilla server generates the same error message (“421 Temporarily banned for too many failed login attempts”), but new connections from the same IPv6 address are still possible.
Here are my test results:
I am using FileZilla Server version 0.9.43 beta on my old Windows XP notebook. (I know, this is not the most current version. But version 0.9.44 does not run on Windows XP anymore.) Hydra is running with the just released version 8.0.
FileZilla Server Autoban
The autoban feature in FileZilla server is quite simple and looks like that:
Brute-Force via IPv4
I first tried a brute-force attack via IPv4 against the FTP server.
These are a few lines of the FileZilla server logfile. It shows the incorrect logins and the error “421 Temporarily banned for too many failed login attempts”. The sessions are then disconnected:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
(000006)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 331 Password required for weberjoh (000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> PASS *** (000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 530 Login or password incorrect! (000006)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> PASS *** (000006)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 530 Login or password incorrect! (000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> USER weberjoh (000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 331 Password required for weberjoh (000003)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> USER weberjoh (000003)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 331 Password required for weberjoh (000004)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> USER weberjoh (000004)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 331 Password required for weberjoh (000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> PASS *** (000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 421 Temporarily banned for too many failed login attempts (000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> disconnected. |
And here are the last lines from the Hydra logs which show that no connections are possible any more:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[RE-ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaQ" - 30 of 931147511 [child 14] [VERBOSE] Retrying connection for child 14 [ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP [RE-ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaR" - 30 of 931147511 [child 14] [VERBOSE] Retrying connection for child 14 [ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP [ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP [ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP [ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP [ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP [ERROR] Too many connect errors to target, disabling ftp://ftp-foobar.webernetz.net:21 [ERROR] 1 target was disabled because of too many errors |
Brute-Force via IPv6
The same brute-force attack with IPv6 forced. However, here is the FileZilla server log which generated the same messages but still allows new connections from the same IPv6 address (!):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
(000037)14.05.2014 10:24:51 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message... (000037)14.05.2014 10:24:51 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net (000020)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> PASS *** (000020)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts (000020)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> disconnected. (000021)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> PASS *** (000021)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts (000021)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> disconnected. (000038)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message... (000038)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net (000042)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message... (000042)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net (000028)14.05.2014 10:24:54 - (not logged in) (2003:51:6012:114::10)> USER weberjoh (000028)14.05.2014 10:24:54 - (not logged in) (2003:51:6012:114::10)> 331 Password required for weberjoh (000031)14.05.2014 10:24:54 - (not logged in) (2003:51:6012:114::10)> USER weberjoh (000031)14.05.2014 10:24:54 - (not logged in) (2003:51:6012:114::10)> 331 Password required for weberjoh (000034)14.05.2014 10:24:57 - (not logged in) (2003:51:6012:114::10)> USER weberjoh (000034)14.05.2014 10:24:57 - (not logged in) (2003:51:6012:114::10)> 331 Password required for weberjoh (000028)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> PASS *** (000028)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts (000028)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> disconnected. (000043)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> USER weberjoh (000043)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> 331 Password required for weberjoh (000044)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message... (000044)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net (000029)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> PASS *** (000029)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts (000029)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> disconnected. (000047)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message... (000047)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net (000032)14.05.2014 10:25:01 - (not logged in) (2003:51:6012:114::10)> PASS *** (000032)14.05.2014 10:25:01 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts (000032)14.05.2014 10:25:01 - (not logged in) (2003:51:6012:114::10)> disconnected. (000048)14.05.2014 10:25:01 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message... (000048)14.05.2014 10:25:01 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net (000036)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> PASS *** (000036)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts (000036)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> disconnected. (000037)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> PASS *** (000037)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts (000037)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> disconnected. |
That is, Hydra logs some errors, too, but continues testing more passwords:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
Process 23786: Can not connect [unreachable] [ERROR] Child with pid 23786 terminating, can not connect Process 23784: Can not connect [unreachable] [ERROR] Child with pid 23784 terminating, can not connect Process 23780: Can not connect [unreachable] [ERROR] Child with pid 23780 terminating, can not connect Process 23779: Can not connect [unreachable] [ERROR] Child with pid 23779 terminating, can not connect Process 23783: Can not connect [unreachable] Process 23785: Can not connect [unreachable] [ERROR] Child with pid 23783 terminating, can not connect [ERROR] Child with pid 23785 terminating, can not connect [ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaK" - 31 of 931147496 [child 0] [ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaL" - 32 of 931147496 [child 1] [ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaM" - 33 of 931147496 [child 2] [ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaN" - 34 of 931147496 [child 3] [ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaO" - 35 of 931147496 [child 4] [ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaP" - 36 of 931147496 [child 6] [ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaQ" - 37 of 931147496 [child 13] [ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaR" - 38 of 931147496 [child 7] [ATTEMPT] target ftp-foobar.webernetz.net - login "weberjoh" - pass "aaS" - 39 of 931147496 [child 11] |
Bug Report
I also added a bug report on the official website of FileZilla (Ticket #9522). Let’s see whether something happens there or whether I made a mistake…
One thought on “FileZilla Server Bug: Autoban does not work with IPv6”