Solved

proftpd limit failed / illegal login attempts

Posted on 2006-07-06
3
1,252 Views
Last Modified: 2012-08-14
Hello, I had a lamer script kiddie playing with my machine the other day.

How can I limit the number of failed login attempts in proftpd? I think allowing over 4000 for the same user name is a bit much.

I use sshdfilter for ssh2 : http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html and love it.
"sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output (or syslog output) and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all."

I guess I could just modify sshdfilter to ftpdfilter....

I am looking at Castaglia's information at : http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Logging.html#FIFOs

Thanks in advance for any ideas...


-----redhat 9 / proftp 1.2.9---

Service ftp: 216.75.61.143: FAILED 4025 Time(s)  (all for user=administrator (which does not exist of course))

[14/Jun/2006:02:44:32 -0500] "USER Administrator" 331
ftp-auth.log:FTP SERVER [21] 216.75.61.143 [14/Jun/2006:02:44:32 -0500] "PASS (hidden)" 503

ftpsystem.log:Jun 14 02:46:28 ftp.xxxxxxx.com proftpd[14962] ftp.xxxxxxx.com (216.75.61.143[216.75.61.143]): USER Administrator: no such user found from 216.75.61.143 [216.75.61.143] to 33.33.33.33:21
0
Comment
Question by:jcgreer
3 Comments
 
LVL 24

Accepted Solution

by:
slyong earned 250 total points
Comment Utility
Hi jcgreer,

A simpler approach will be to use iptables.  However, RH9 is a bit too old, I think you have to install the new iptables with "recent module" (http://snowman.net/projects/ipt_recent/) written by Snow-Man.  I feel like I am telling fairy tales...

Anyway, iptables recent module is able to trace out how fast connections attempt are made.  For brute force attack, most of the time you will see they attempt to login continuously.  For example 4025 times of ftp attempt, if that is over 24 hours, it means 2.79 times a minute?  So iptables recent monitor the connection attempt.. if it is over the limit (e.g. > 3 times in 300 seconds) then it stop the IP.

Here's the example:

iptables -N FTPSCAN
iptables -A INPUT -p tcp --dport 21 -m state –state NEW -j FTPSCAN
iptables -A FTPSCAN -m recent –set –name FTP
iptables -A FTPSCAN -m recent –update –seconds 300 –hitcount 3 –name FTP -j DROP

in order not to block yourself out or some other users which do fast reconnection.. you can use a white list... add the line just below iptables -N FTPSCAN and replace $WHITE_LIST_IP with your static IP (e.g. 168.168.168.168).

iptables -A INPUT -p tcp –dport 21 -s $WHITE_LIST_IP -j ACCEPT

If you want to have a log file of the banned IPs.. you can add the following two lines:

iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 3 --name FTP -j LOG --log-level info --log-prefix "FTP scan attempt blocked: "
iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 3 --name FTP -j DROP

<solution adapted from http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/>
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now