[FTP attack] FileZilla FTP server under attack

[Vfo]

Hi.

 

I have a small FileZilla FTP running for familymembers to backup offsite (they have one too for my stuff) just in case.

We've had them running for 8 years or so without any issues. We barely use them.

Today a lot of attempted traffic caught my eye, and it looks like it's being attacked.
I don't think anything got through, but I'm not sure what I should do.

Any recommendations? I wouldn't want to limit access to only a few select addresses since we sometimes get new IPs and even use our phones if we need something randomly.

 

Thank you for your input.

https://pastebin.com/xmc2R3G2

 

*Replaced the host name IP with "serverIP:port" to avoid people 'checking it out'.

[Electronics Wizardy]

First of all, don't use ftp, it is very not secure. There is plain text password flying about, stay away.

 

Use something like scp or sshfs, much more secure and harder to get into.

[suom1_embark]

You could always limit it to larger networks than specific addresses but less than whole internet. 
For instance if you're a AT&T customer you could then whitelist the networks that AT&T announces to internet. These networks can be found on websites like https://bgp.he.net 

 

I would however advice you as previous poster, do not use FTP (without SSL/TLS). 

[Vfo]

Thank you both for your advice.

 

The security isn't extremely important since it's just weekly backups in multiple different locations.

We've had it for 8 years without a problem.

Getting a certificate on FTP seemed difficult, so we never bothered.

 

The attacks are still going on, but it's the same commands being tried over and over again from 500+ IPs, and it all comes up as unrecognized commands.

 

 

SSHFS looks interesting and might be more userfriendly for our parents with a mounted drive.

 

We don't use the same passwords for the FTP as anything else. It's all 16 character random generated passwords.

From the commands they're trying to get through, I don't even think they want the passwords, but rather infect it to become a zombie or something.

That's probably the same reason they have 500+ IPs acting instantly as soon as I block one. I have blocked 438 IPs so far, from all over the world, and they pop up as fast as I can click them.

 

I'll look into the mounted drive options next week probably.

 

Thank you for your suggestions and help!

[Falconevo]

You have the FTP port open to the public, it will be scanned, prodded and poked by all sorts of tools from all over the world.  This is absolutely normal for any service that is open to the public, expect it to get probed and exploited should an exploit be available for the software version you are running.

 

I wouldn't personally recommend using FTP as it's not very secure, but it also depends how much you care about the content being sent over it.  I would also look in to locking down the firewall rules to per IP (if static) if dynamic per DNS value and use a service such as no-ip to run a dynamic DNS service on the dynamic IP provided by the ISPs.