jcgreer
asked on
proftpd limit failed / illegal login attempts
Hello, I had a lamer script kiddie playing with my machine the other day.
How can I limit the number of failed login attempts in proftpd? I think allowing over 4000 for the same user name is a bit much.
I use sshdfilter for ssh2 : http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html and love it.
"sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output (or syslog output) and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all."
I guess I could just modify sshdfilter to ftpdfilter....
I am looking at Castaglia's information at : http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Logging.html#FIFOs
Thanks in advance for any ideas...
-----redhat 9 / proftp 1.2.9---
Service ftp: 216.75.61.143: FAILED 4025 Time(s) (all for user=administrator (which does not exist of course))
[14/Jun/2006:02:44:32 -0500] "USER Administrator" 331
ftp-auth.log:FTP SERVER [21] 216.75.61.143 [14/Jun/2006:02:44:32 -0500] "PASS (hidden)" 503
ftpsystem.log:Jun 14 02:46:28 ftp.xxxxxxx.com proftpd[14962] ftp.xxxxxxx.com (216.75.61.143[216.75.61.1
How can I limit the number of failed login attempts in proftpd? I think allowing over 4000 for the same user name is a bit much.
I use sshdfilter for ssh2 : http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html and love it.
"sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output (or syslog output) and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all."
I guess I could just modify sshdfilter to ftpdfilter....
I am looking at Castaglia's information at : http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Logging.html#FIFOs
Thanks in advance for any ideas...
-----redhat 9 / proftp 1.2.9---
Service ftp: 216.75.61.143: FAILED 4025 Time(s) (all for user=administrator (which does not exist of course))
[14/Jun/2006:02:44:32 -0500] "USER Administrator" 331
ftp-auth.log:FTP SERVER [21] 216.75.61.143 [14/Jun/2006:02:44:32 -0500] "PASS (hidden)" 503
ftpsystem.log:Jun 14 02:46:28 ftp.xxxxxxx.com proftpd[14962] ftp.xxxxxxx.com (216.75.61.143[216.75.61.1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.