FileZilla Server Bug: Autoban does not work with IPv6

While testing with the new release of Hydra against my own FTP server from FileZilla, I recognized that the autoban feature from FileZilla does not work for IPv6 connections. If there are multiple failed login attempts from an IPv4 address, FileZilla Server correctly blocks that IP. That is: Hydra stops testing passwords since it is not able to connect to the server anymore. However, when using IPv6, the FileZilla server generates the same error message (“421 Temporarily banned for too many failed login attempts”), but new connections from the same IPv6 address are still possible.

Here are my test results:

I am using FileZilla Server version 0.9.43 beta on my old Windows XP notebook. (I know, this is not the most current version. But version 0.9.44 does not run on Windows XP anymore.) Hydra is running with the just released version 8.0.

FileZilla Server Autoban

The autoban feature in FileZilla server is quite simple and looks like that:

FileZilla Server Autoban

Brute-Force via IPv4

I first tried a brute-force attack via IPv4 against the FTP server.

These are a few lines of the FileZilla server logfile. It shows the incorrect logins and the error “421 Temporarily banned for too many failed login attempts”. The sessions are then disconnected:

 

And here are the last lines from the Hydra logs which show that no connections are possible anymore:

 

Brute-Force via IPv6

The same brute-force attack with IPv6 forced. However, here is the FileZilla server log which generated the same messages but still allows new connections from the same IPv6 address (!):

 

That is, Hydra logs some errors, too, but continues testing more passwords:

 

Bug Report

I also added a bug report on the official website of FileZilla (Ticket #9522). Let’s see whether something happens there or whether I made a mistake…

One thought on “FileZilla Server Bug: Autoban does not work with IPv6

Leave a Reply

Your email address will not be published. Required fields are marked *