Solved

proftpd limit failed / illegal login attempts

Posted on 2006-07-06
3
1,264 Views
Last Modified: 2012-08-14
Hello, I had a lamer script kiddie playing with my machine the other day.

How can I limit the number of failed login attempts in proftpd? I think allowing over 4000 for the same user name is a bit much.

I use sshdfilter for ssh2 : http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html and love it.
"sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output (or syslog output) and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all."

I guess I could just modify sshdfilter to ftpdfilter....

I am looking at Castaglia's information at : http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Logging.html#FIFOs 

Thanks in advance for any ideas...


-----redhat 9 / proftp 1.2.9---

Service ftp: 216.75.61.143: FAILED 4025 Time(s)  (all for user=administrator (which does not exist of course))

[14/Jun/2006:02:44:32 -0500] "USER Administrator" 331
ftp-auth.log:FTP SERVER [21] 216.75.61.143 [14/Jun/2006:02:44:32 -0500] "PASS (hidden)" 503

ftpsystem.log:Jun 14 02:46:28 ftp.xxxxxxx.com proftpd[14962] ftp.xxxxxxx.com (216.75.61.143[216.75.61.143]): USER Administrator: no such user found from 216.75.61.143 [216.75.61.143] to 33.33.33.33:21
0
Comment
Question by:jcgreer
3 Comments
 
LVL 24

Accepted Solution

by:
slyong earned 250 total points
ID: 17054333
Hi jcgreer,

A simpler approach will be to use iptables.  However, RH9 is a bit too old, I think you have to install the new iptables with "recent module" (http://snowman.net/projects/ipt_recent/) written by Snow-Man.  I feel like I am telling fairy tales...

Anyway, iptables recent module is able to trace out how fast connections attempt are made.  For brute force attack, most of the time you will see they attempt to login continuously.  For example 4025 times of ftp attempt, if that is over 24 hours, it means 2.79 times a minute?  So iptables recent monitor the connection attempt.. if it is over the limit (e.g. > 3 times in 300 seconds) then it stop the IP.

Here's the example:

iptables -N FTPSCAN
iptables -A INPUT -p tcp --dport 21 -m state –state NEW -j FTPSCAN
iptables -A FTPSCAN -m recent –set –name FTP
iptables -A FTPSCAN -m recent –update –seconds 300 –hitcount 3 –name FTP -j DROP

in order not to block yourself out or some other users which do fast reconnection.. you can use a white list... add the line just below iptables -N FTPSCAN and replace $WHITE_LIST_IP with your static IP (e.g. 168.168.168.168).

iptables -A INPUT -p tcp –dport 21 -s $WHITE_LIST_IP -j ACCEPT

If you want to have a log file of the banned IPs.. you can add the following two lines:

iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 3 --name FTP -j LOG --log-level info --log-prefix "FTP scan attempt blocked: "
iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 3 --name FTP -j DROP

<solution adapted from http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/>
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how does facebook / twitter store data? 3 140
running production stuff on centos 4 126
linux service nerwork restart throwing eth1 not dound? 5 87
FTP output from Wireshak 6 98
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question