How do I prevent unwanted FTP connection attempts on my Windows Server 2012 R2?

Question

It appears that I'm getting FTP connection attempts from unknown sources. The SYN_RECEIVED state is nearly always showing.

netstat output

        C:\Users\Administrator>netstat -aon | findstr "1596"
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       1596
  TCP    198.XXX.XX.XX:21       121.254.204.3:21       SYN_RECEIVED    1596
  TCP    [::]:21                [::]:0                 LISTENING       1596

I have added my remote ip-address on "IIS - FTP IP Address and Domain Restrictions", is that enough? Anything more I can do like an incoming rule on the Firewall?

Thanks.

Is FTP installed, and if it is, do you need it? – Davidw Feb 05 '21 at 06:05 — Davidw, Feb 05 '21 at 06:05
Yes I do have it installed and I do need the service. – bezbiker Feb 05 '21 at 21:20 — bezbiker, Feb 05 '21 at 21:20

score 0 · Accepted Answer · answered Feb 06 '21 at 10:50

Short answer: you don't.

If you know the origin IP addresses of a reasonable number of valid clients you can allow those addresses specifically in your firewall and block everything else.

(If the data transferred is valuable, make sure you use FTP over TLS (FTPS), or switch to SFTP. The latter also comes with the ability to use key based authentication which may be more secure than human-generated username/password combinations. Note that SFTP is a completely separate protocol from FTP and FTPS).

Thank you Mikael. I have white-listed my remote ip-addresses on the firewall for port 21 and it is working. — bezbiker, Feb 07 '21 at 03:23

How do I prevent unwanted FTP connection attempts on my Windows Server 2012 R2?

1 Answers1