0

We use FTP to send data (XML) from one server to another. Basically, there is a scheduled task at server A, which uploads XML files whenever there are available, to server B by using FTP. Since this is a scheduled task, the parameters being used (e.g. login, password) remain the same at all times.

This works perfectly, except sometimes the FTP user gets refused access for a certain amount of time, for no specific reason. When I look into the log file, I can see a 530 An+error+occurred+during+the+authentication+process error happening for approximately almost an hour (this is varrying) until the FTP User is able to login succesfully again.

I'm really clueless about why this is happening. It looks like the FTP user gets banned for a certain time, but I don't think that's the case since there is really no reason for it. The only restriction I set up is allowing access from specific IP addresses, but the IP address did not change either and is correct. We also use the setting Windows credentials only.

And this happens every 3 - 4 days, there is really no pattern in it.

Does anyone have an idea what could be causing this? Is there any way to obtain a more detailed error description than An+error+occurred+during+the+authentication+process?

Zeep
  • 107
  • 2
  • 6
  • If you use plain ftp do a wireshark filtered on ftp port and watch. You will get your answer – yagmoth555 Jan 29 '16 at 11:55
  • I do not have access to server A, a.k.a. the server which sends the XML files, only to server B. Can I capture incoming packets on server B, originating from server A, to determine why server B is refusing access? – Zeep Jan 29 '16 at 13:56
  • @Zepp Yes, Use a portable version of wireshark on server B, and do a filter ip.src==server_a ip.dst==server_b && tcp.port==21. If you see a FTP answer error in the wireshark, the problem will on the other side, thus you can't do anything after. – yagmoth555 Jan 29 '16 at 14:00
  • @yagmoth555 Okay thanks. Now, since this does not happen every day, nor is it possible to determine when server B is refusing access to server A, is it possible to have Wireshark dump the log files somewhere continuously so I can analyse them later when I have more specific information? Also, do you know if this continuous logging would affect the server's resources? – Zeep Jan 29 '16 at 14:22
  • It will affect performance, but you can use a port mirror of your server and use a laptop, or a another computer to do the logging. Use the filter to be sure it does not affect much. (as it will log only the ftp) – yagmoth555 Jan 29 '16 at 14:24

1 Answers1

0

After 2 years and a half, I have finally figured out the issue. Basically, each time the FTP user could not log into the server, he was locked out by the system due to exceeding 5 invalid login attempts. However, it was not the scheduled task providing the wrong credentials causing the lock out, it were hack attempts.

It was never clear to me because we have a firewall blocking all external traffic and the time interval of the hacks would always be relatively small, so by time I looked into the user accounts, the lock out had already been lifted. It wasn't until yesterday when our server got bombarded with brute force attempts for the entire day that it really showed what was going on.

Apparently somebody had left a firewall rule active which overruled the Remote Desktop rule, making it accessible to the internet... This opened the gates for attacks, causing the FTP user to get locked out due to invalid login attempts and thus disrupting the synchronization.

Zeep
  • 107
  • 2
  • 6
  • And thus the security theater of locking accounts after N login attempts was shown, once again, to be counterproductive. – womble Aug 29 '18 at 09:51