• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1308
  • Last Modified:

proftpd limit failed / illegal login attempts

Hello, I had a lamer script kiddie playing with my machine the other day.

How can I limit the number of failed login attempts in proftpd? I think allowing over 4000 for the same user name is a bit much.

I use sshdfilter for ssh2 : http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html and love it.
"sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output (or syslog output) and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all."

I guess I could just modify sshdfilter to ftpdfilter....

I am looking at Castaglia's information at : http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Logging.html#FIFOs 

Thanks in advance for any ideas...


-----redhat 9 / proftp 1.2.9---

Service ftp: 216.75.61.143: FAILED 4025 Time(s)  (all for user=administrator (which does not exist of course))

[14/Jun/2006:02:44:32 -0500] "USER Administrator" 331
ftp-auth.log:FTP SERVER [21] 216.75.61.143 [14/Jun/2006:02:44:32 -0500] "PASS (hidden)" 503

ftpsystem.log:Jun 14 02:46:28 ftp.xxxxxxx.com proftpd[14962] ftp.xxxxxxx.com (216.75.61.143[216.75.61.143]): USER Administrator: no such user found from 216.75.61.143 [216.75.61.143] to 33.33.33.33:21
0
jcgreer
Asked:
jcgreer
1 Solution
 
slyongCommented:
Hi jcgreer,

A simpler approach will be to use iptables.  However, RH9 is a bit too old, I think you have to install the new iptables with "recent module" (http://snowman.net/projects/ipt_recent/) written by Snow-Man.  I feel like I am telling fairy tales...

Anyway, iptables recent module is able to trace out how fast connections attempt are made.  For brute force attack, most of the time you will see they attempt to login continuously.  For example 4025 times of ftp attempt, if that is over 24 hours, it means 2.79 times a minute?  So iptables recent monitor the connection attempt.. if it is over the limit (e.g. > 3 times in 300 seconds) then it stop the IP.

Here's the example:

iptables -N FTPSCAN
iptables -A INPUT -p tcp --dport 21 -m state –state NEW -j FTPSCAN
iptables -A FTPSCAN -m recent –set –name FTP
iptables -A FTPSCAN -m recent –update –seconds 300 –hitcount 3 –name FTP -j DROP

in order not to block yourself out or some other users which do fast reconnection.. you can use a white list... add the line just below iptables -N FTPSCAN and replace $WHITE_LIST_IP with your static IP (e.g. 168.168.168.168).

iptables -A INPUT -p tcp –dport 21 -s $WHITE_LIST_IP -j ACCEPT

If you want to have a log file of the banned IPs.. you can add the following two lines:

iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 3 --name FTP -j LOG --log-level info --log-prefix "FTP scan attempt blocked: "
iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 3 --name FTP -j DROP

<solution adapted from http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/>
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now