Solved

proftpd limit failed / illegal login attempts

Posted on 2006-07-06
3
1,265 Views
Last Modified: 2012-08-14
Hello, I had a lamer script kiddie playing with my machine the other day.

How can I limit the number of failed login attempts in proftpd? I think allowing over 4000 for the same user name is a bit much.

I use sshdfilter for ssh2 : http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html and love it.
"sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output (or syslog output) and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all."

I guess I could just modify sshdfilter to ftpdfilter....

I am looking at Castaglia's information at : http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Logging.html#FIFOs 

Thanks in advance for any ideas...


-----redhat 9 / proftp 1.2.9---

Service ftp: 216.75.61.143: FAILED 4025 Time(s)  (all for user=administrator (which does not exist of course))

[14/Jun/2006:02:44:32 -0500] "USER Administrator" 331
ftp-auth.log:FTP SERVER [21] 216.75.61.143 [14/Jun/2006:02:44:32 -0500] "PASS (hidden)" 503

ftpsystem.log:Jun 14 02:46:28 ftp.xxxxxxx.com proftpd[14962] ftp.xxxxxxx.com (216.75.61.143[216.75.61.143]): USER Administrator: no such user found from 216.75.61.143 [216.75.61.143] to 33.33.33.33:21
0
Comment
Question by:jcgreer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 24

Accepted Solution

by:
slyong earned 250 total points
ID: 17054333
Hi jcgreer,

A simpler approach will be to use iptables.  However, RH9 is a bit too old, I think you have to install the new iptables with "recent module" (http://snowman.net/projects/ipt_recent/) written by Snow-Man.  I feel like I am telling fairy tales...

Anyway, iptables recent module is able to trace out how fast connections attempt are made.  For brute force attack, most of the time you will see they attempt to login continuously.  For example 4025 times of ftp attempt, if that is over 24 hours, it means 2.79 times a minute?  So iptables recent monitor the connection attempt.. if it is over the limit (e.g. > 3 times in 300 seconds) then it stop the IP.

Here's the example:

iptables -N FTPSCAN
iptables -A INPUT -p tcp --dport 21 -m state –state NEW -j FTPSCAN
iptables -A FTPSCAN -m recent –set –name FTP
iptables -A FTPSCAN -m recent –update –seconds 300 –hitcount 3 –name FTP -j DROP

in order not to block yourself out or some other users which do fast reconnection.. you can use a white list... add the line just below iptables -N FTPSCAN and replace $WHITE_LIST_IP with your static IP (e.g. 168.168.168.168).

iptables -A INPUT -p tcp –dport 21 -s $WHITE_LIST_IP -j ACCEPT

If you want to have a log file of the banned IPs.. you can add the following two lines:

iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 3 --name FTP -j LOG --log-level info --log-prefix "FTP scan attempt blocked: "
iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 3 --name FTP -j DROP

<solution adapted from http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/>
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question