proftpd limit failed / illegal login attempts

Hello, I had a lamer script kiddie playing with my machine the other day.

How can I limit the number of failed login attempts in proftpd? I think allowing over 4000 for the same user name is a bit much.

I use sshdfilter for ssh2 : and love it.
"sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output (or syslog output) and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all."

I guess I could just modify sshdfilter to ftpdfilter....

I am looking at Castaglia's information at : 

Thanks in advance for any ideas...

-----redhat 9 / proftp 1.2.9---

Service ftp: FAILED 4025 Time(s)  (all for user=administrator (which does not exist of course))

[14/Jun/2006:02:44:32 -0500] "USER Administrator" 331
ftp-auth.log:FTP SERVER [21] [14/Jun/2006:02:44:32 -0500] "PASS (hidden)" 503

ftpsystem.log:Jun 14 02:46:28 proftpd[14962] ([]): USER Administrator: no such user found from [] to
Who is Participating?
slyongConnect With a Mentor Commented:
Hi jcgreer,

A simpler approach will be to use iptables.  However, RH9 is a bit too old, I think you have to install the new iptables with "recent module" ( written by Snow-Man.  I feel like I am telling fairy tales...

Anyway, iptables recent module is able to trace out how fast connections attempt are made.  For brute force attack, most of the time you will see they attempt to login continuously.  For example 4025 times of ftp attempt, if that is over 24 hours, it means 2.79 times a minute?  So iptables recent monitor the connection attempt.. if it is over the limit (e.g. > 3 times in 300 seconds) then it stop the IP.

Here's the example:

iptables -N FTPSCAN
iptables -A INPUT -p tcp --dport 21 -m state –state NEW -j FTPSCAN
iptables -A FTPSCAN -m recent –set –name FTP
iptables -A FTPSCAN -m recent –update –seconds 300 –hitcount 3 –name FTP -j DROP

in order not to block yourself out or some other users which do fast reconnection.. you can use a white list... add the line just below iptables -N FTPSCAN and replace $WHITE_LIST_IP with your static IP (e.g.

iptables -A INPUT -p tcp –dport 21 -s $WHITE_LIST_IP -j ACCEPT

If you want to have a log file of the banned IPs.. you can add the following two lines:

iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 3 --name FTP -j LOG --log-level info --log-prefix "FTP scan attempt blocked: "
iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 3 --name FTP -j DROP

<solution adapted from>
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.