blog:blocking_proftpd_banned_users_permenantly

Blocking PROFTPD banned users permanently

PROFTPD is a great FTP server. However I found that once I had it running every man and his dog tried to brute force their way in.

The mod_ban modules helped stop brute force attacks. Check if the module is already compiled in.

# proftpd --list | fgrep mod_ban
  mod_ban.c
#

If not you need to download the source and recompile it. Here is the configuration that I used to compile on my Centos 5 distribution.

./configure --build=i686-redhat-linux-gnu --host=i686-redhat-linux-gnu --target=i386-redh
at-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbind
ir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/u
sr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=
/usr/share/man --infodir=/usr/share/info --libexecdir=/usr/libexec/proftpd --localstatedi
r=/var/run --enable-ctrls --enable-dso --with-modules=mod_readme:mod_auth_pam:mod_tls:mod
_ban:mod_shaper:mod_ifsession:mod_wrap

Edit the /etc/proftpd.conf and add some simple BAN rules to keep the script kiddies at bay.

<IfModule mod_ban.c>
        BanEngine               on
        BanLog                  /var/log/proftpd/ban.log
        BanTable                /var/log/proftpd/ban.tab
        BanControlsACLs         all allow user root deny user Administrator

        BanMessage              "Host %a has been banned"
# If a client reached the max login attempt twice in 12 seconds ban them
# Thats 6 failures in 12sec - thats a login attempt every 2sec !
        BanOnEvent              MaxLoginAttempts 2/00:00:12 99:99:99
# Configure a rule to automatically ban scripts looking for anonymous
# servers to which they can upload.  We don't do anonymous.
        BanOnEvent              AnonRejectPasswords 1/00:05:00 99:99:99
# Ban clients which connect too frequently.  This rule bans clients
# which connect more than 5 times within one minute.  Include a special
# message just for them.
        #BanOnEvent ClientConnectRate 5/00:01:00 04:00:00 "Stop connecting frequently"
</IfModule>

However some times after the ban has expired the same script kiddie comes back for another attempt. So this time we make sure they are permanently blocked from my network.

Place this code into /usr/local/bin/mod_ban_deny.py and chmod 755

#!/usr/bin/python
#
# Parse mod_ban LOGS and block permenatly those banned
 
import re
 
def parseIP(file):
        iplist = []
        for line in open(file).readlines():
                if len(line) == 0: continue
                x = re.search("\d+\.\d+\.\d+\.\d+", line)
                if x:
                        ip=x.group(0)
                        if not ip in iplist:
                                iplist.append(ip)
        return iplist
 
banlist = parseIP("/var/log/proftpd/ban.log")
denylist = parseIP("/etc/hosts.deny")
 
f = open("/etc/hosts.deny","a")
for ip in banlist:
        if not ip in denylist:
                f.write("ALL: %s\n" % ip)
f.close()

Setup a crontab to scan the ban log file and convert these entries into hosts.deny blocks.

@daily /usr/local/bin/mod_ban_deny.py

That should help you sleep at night. Its interesting to note how quickly the /etc/hosts.deny file fills up with people attempting to break into your FTP server. Now you are armed with a secret weapon their attempts are futile.

Over time your /etc/hosts.deny file will accumulate blocked IP addresses as extracted from the ban.log file.

ALL: 218.15.143.174
ALL: 124.114.130.149
ALL: 158.49.50.139
ALL: 218.62.29.118
ALL: 202.4.119.35

If you run the PROFTPD server in standalone mode then you will need some additional configuration options in the /etc/proftpd.conf configuration file.

<IfModule mod_wrap.c>
    TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
</IfModule>

See also: http://www.aczoom.com/cms/blockhosts

  • blog/blocking_proftpd_banned_users_permenantly.txt
  • Last modified: 2009/11/27 17:53
  • by 127.0.0.1