Page 1 of 1

FTP attemps even though port is not open

Posted: 18 Sep 2019, 08:41
by keat63
I've had a number of failed FTP login attempts over night, but port 21 is not included in "Allow incoming TCP ports"
Niether is my secret sftp port number.

I'm at a loss how these login attempts managed to get through CSF.

(ftpd) Failed FTP login from 119.xx.xx.xxx (CN/China/Jilin/-/194.xx.xx.xxx.adsl-pool.jlccptt.net.cn): 3 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]

CSF blocked them, but if the port is closed, they shouldn't have even be presented with a log on.

Any ideas ??

Re: FTP attemps even though port is not open

Posted: 18 Sep 2019, 10:00
by bdaus
It doesn't matter if a port is open or closed, it can still be probed. The main thing is that CSF will block them at the firewall level if they try enough times with the incorrect credentials. As soon as they're blocked in CSF, they'll stop getting server responses.

Re: FTP attemps even though port is not open

Posted: 18 Sep 2019, 15:51
by keat63
Being naive, but I thought if the ports were not listed in "Allow incoming TCP ports", I assumed therfor they are cosed ?
If the port is closed, then the ftp client shouldn't even get to the login prompt, should it ???

If the port isn't open, the client ought to have failed to connect, but quite obviously connected as they failed the authentication.
Whats the point in removing the ports from "Allow incoming ports' if the rule is being ignored ?

Am I missing something obvious

Re: FTP attemps even though port is not open

Posted: 19 Sep 2019, 02:28
by BallyBasic79
Here's a potentially silly analogy:
Just because you lock the front door to keep random people from opening it doesn't prevent someone from coming to the door and checking to see if it is open.

You get tired of the doorknob rattling so you remove the door and relocate it around the side of the house. But that doesn't keep people from coming to where the front door should be and knocking anyway. :D

Practical suggestion: From a different network that is not listed in your csf.allow or ignore lists (use VPN or coffee shop), try to access your server via FTP:21 or other protocol to observe the response that you receive and the resulting log entries in CSF. This will provide a practical understanding of the connection attempt and response. You may find that the log messages are not literally complete in their description of the event.

This is also a good opportunity to observe (or experiment with) the difference between the DROP or
REJECT options in Logging Settings. You may wish to not log connection attempts to ports with relocated services.

Does this help?

Re: FTP attemps even though port is not open

Posted: 19 Sep 2019, 10:01
by keat63
I like the analogy, and its very similar to the one I used when I was explaining to my colleague.
However, using the same analogy.
If the door is closed, locked and moved to the side of the house.
I wouldn't hear him knocking, in fact he'd have nothing to knock on.

In my case, the port is closed, the FTP attempt was accepted, and only authentication stopped him entering.
The guy must be a ghost and can pass through walls. :-)

Yesterday, I tighted failed ftp logins to 1 single failre and an IP block is issued.
I didn't see a single ftp failure over night.

So either

1. The subsequent CSF restart fixed the problem
2. The hacker gave up and went away
3. CSF has a problem that I've never encountered before now.

Re: FTP attemps even though port is not open

Posted: 19 Sep 2019, 19:15
by BallyBasic79
Did you try hacking in yourself?

Re: FTP attemps even though port is not open

Posted: 20 Sep 2019, 08:20
by keat63
From my trusted IP, if I try to connect to ftp via port xxx (some random made up number),, my ftp client just times out.
But I havn't tried from a non trusted IP.
This is something I'd have to do from home, i just keep forgetting.

Re: FTP attemps even though port is not open

Posted: 20 Sep 2019, 20:38
by Sergio
Actually, everybody knows what ports FTP or SFTP uses. So, even if the ports has been moved, anyone can try to access the normal FTP/SFTP ports as them are universal.

CSF as being a Software FireWall, it doesn't block any IP before connecting to the server, actually it works as a police officer checking if the IP can go further or not. That means that CSF will not block the IP from the beginning of the connection, as being software it will take some time to check all the tables and see if the IP is allowed or not to access the server, in the mean time it will be taking notes of anything that the IP is trying to do and will send to you an email of what was done.

If you want that the FireWall blocks any of your rules before entering into your server, you have to buy a Hardware Firewall that is a different approach.

Hope this helps to understand what CSF does.

Regards,
Sergio