no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | blog:blocking_proftpd_banned_users_permenantly [2009/11/27 17:53] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Blocking PROFTPD banned users permanently ====== | ||
+ | |||
+ | PROFTPD is a great FTP server. | ||
+ | |||
+ | The mod_ban modules helped stop brute force attacks. | ||
+ | < | ||
+ | # proftpd --list | fgrep mod_ban | ||
+ | mod_ban.c | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | If not you need to download the source and recompile it. Here is the configuration that I used to compile on my Centos 5 distribution. | ||
+ | < | ||
+ | ./configure --build=i686-redhat-linux-gnu --host=i686-redhat-linux-gnu --target=i386-redh | ||
+ | at-linux-gnu --program-prefix= --prefix=/ | ||
+ | ir=/ | ||
+ | sr/lib --libexecdir=/ | ||
+ | / | ||
+ | r=/var/run --enable-ctrls --enable-dso --with-modules=mod_readme: | ||
+ | _ban: | ||
+ | </ | ||
+ | |||
+ | Edit the / | ||
+ | < | ||
+ | < | ||
+ | BanEngine | ||
+ | BanLog | ||
+ | BanTable | ||
+ | BanControlsACLs | ||
+ | |||
+ | BanMessage | ||
+ | # If a client reached the max login attempt twice in 12 seconds ban them | ||
+ | # Thats 6 failures in 12sec - thats a login attempt every 2sec ! | ||
+ | BanOnEvent | ||
+ | # Configure a rule to automatically ban scripts looking for anonymous | ||
+ | # servers to which they can upload. | ||
+ | BanOnEvent | ||
+ | # Ban clients which connect too frequently. | ||
+ | # which connect more than 5 times within one minute. | ||
+ | # message just for them. | ||
+ | #BanOnEvent ClientConnectRate 5/00:01:00 04:00:00 "Stop connecting frequently" | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | However some times after the ban has expired the same script kiddie comes back for another attempt. | ||
+ | |||
+ | Place this code into / | ||
+ | <code python> | ||
+ | # | ||
+ | # | ||
+ | # Parse mod_ban LOGS and block permenatly those banned | ||
+ | |||
+ | import re | ||
+ | |||
+ | def parseIP(file): | ||
+ | iplist = [] | ||
+ | for line in open(file).readlines(): | ||
+ | if len(line) == 0: continue | ||
+ | x = re.search(" | ||
+ | if x: | ||
+ | ip=x.group(0) | ||
+ | if not ip in iplist: | ||
+ | iplist.append(ip) | ||
+ | return iplist | ||
+ | |||
+ | banlist = parseIP("/ | ||
+ | denylist = parseIP("/ | ||
+ | |||
+ | f = open("/ | ||
+ | for ip in banlist: | ||
+ | if not ip in denylist: | ||
+ | f.write(" | ||
+ | f.close() | ||
+ | </ | ||
+ | |||
+ | Setup a crontab to scan the ban log file and convert these entries into hosts.deny blocks. | ||
+ | < | ||
+ | @daily / | ||
+ | </ | ||
+ | |||
+ | That should help you sleep at night. | ||
+ | |||
+ | Over time your / | ||
+ | < | ||
+ | ALL: 218.15.143.174 | ||
+ | ALL: 124.114.130.149 | ||
+ | ALL: 158.49.50.139 | ||
+ | ALL: 218.62.29.118 | ||
+ | ALL: 202.4.119.35 | ||
+ | </ | ||
+ | |||
+ | If you run the PROFTPD server in standalone mode then you will need some additional configuration options in the / | ||
+ | < | ||
+ | < | ||
+ | TCPAccessFiles / | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | See also: http:// | ||
+ | |||
+ | {{tag> | ||