Is this a bruteforce attempt?

What is the problem you are having with rclone?

I keep seeing the following line every 30 seconds or so in my rclone mount using rclone rc logs:

http: TLS handshake error from tls: first record does not look like a TLS handshake

The IP is unknown to me, and the port is different each time. Is this just an typical bruteforce attempt? If so, is there anyway I can secure my rclone further outside of using certs/HTTPS and htpasswd? Is there any way to block the IP with rclone/rclone rc itself or would this only be possible with external means like a software/hardware firewall?

Run the command 'rclone version' and share the full output of the command.

rclone v1.64.0

  • os/version: debian 10.13 (64 bit)
  • os/kernel: 5.10.0-0.deb10.24-amd64 (x86_64)
  • os/type: linux
  • os/arch: amd64
  • go/version: go1.21.1
  • go/linking: static
  • go/tags: none

Which cloud storage system are you using? (eg Google Drive)


The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone mount sftpremote: %h/mnt \
  --config %h/.config/rclone/rclone.conf \
  --dir-cache-time 24h \
  --vfs-cache-mode writes \
  --log-level INFO --log-file "%h/.logs/vfs-sftp.log" \
  --rc \
  --rc-addr {REDACTED}:{REDACTED} \
  --rc-user='{REDACTED}' \
  --rc-htpasswd=/home/{REDACTED}/.config/rclone/keys/htpasswd \
  --rc-cert=/home/{REDACTED}/.config/rclone/keys/certificate.pem \

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

type = sftp
host = XXX
user = XXX
port = XXX
pass = XXX
shell_type = unix
md5sum_command = none
sha1sum_command = none

Do not expose your rc interface to the external world? Limit its scope to localhost only.

Yes you need firewall.

1 Like

Thanks for your reply kapitainsky

Unfortunately the server I use it on is a shared server that does not provide root so a firewall isn't possible.

Also I use a remote system to update the SFTP mount to essentially enable polling in a janky sort of way lol, but this means the rc must be world accessible for this workflow.

Are there any other methods I should use to lock it down?

also does this mean that it is indeed a brute force? and the bit about TLS is a false positive? I wasn't sure where the TLS bit was coming from because its an SFTP rclone remote

These two requirements are contradictory. You expose your rc interface to all world or you lock it down.

You can make it far more secure by installing VPN (wireguard, openvpn, etc.) and connecting to your server only over VPN.

It is impossible to tell. Some IP tries to connect to yours. Why? Maybe by mistake. Maybe somebody tries to hack it.

1 Like

Can you give more details about this shared server? It is very rare having a server and not be able to use sudo. Is there maybe an additional firewall?
You could lock it to localhost and use vpn as already mentioned. Maybe nginx could work too.
Ultimately it's your risk to make it publicly accessible. In the end it's just a matter of time when someone actually tries to hack you and is successful with it.

1 Like

since its a shared "app hosting" server the provider does not allow root/sudo to be used in the shell.

Per the VPN suggestion, I wish i could but the VPN it provides is just to privatize browsing with it's server IP, its not setup to connect to the server's network to tunnel the rclone rc like this.

My username is 20+ characters long and the password is 40+ characters long, so I could be ok for the most part with this right?

My mistake, bad wording on my part in saying "lock it down" I meant more so as in I hope I'm using all the security methods possible with what I'm limited to :slight_smile:

Maybe... rclone focus is not network security (it does good job to cover basics though).

Do not expose rc to the whole world - made it local only. If you have to access it you can always use ssh - which I would consider much more trusted (for security) than rclone rc interface.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.