blog:blocking_proftpd_banned_users_permenantly

no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


blog:blocking_proftpd_banned_users_permenantly [2009/11/27 17:53] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Blocking PROFTPD banned users permanently ======
 +
 +PROFTPD is a great FTP server.  However I found that once I had it running every man and his dog tried to brute force their way in.
 +
 +The mod_ban modules helped stop brute force attacks.  Check if the module is already compiled in.
 +<code>
 +# proftpd --list | fgrep mod_ban
 +  mod_ban.c
 +#
 +</code>
 +
 +If not you need to download the source and recompile it.  Here is the configuration that I used to compile on my Centos 5 distribution.
 +<code>
 +./configure --build=i686-redhat-linux-gnu --host=i686-redhat-linux-gnu --target=i386-redh
 +at-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbind
 +ir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/u
 +sr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=
 +/usr/share/man --infodir=/usr/share/info --libexecdir=/usr/libexec/proftpd --localstatedi
 +r=/var/run --enable-ctrls --enable-dso --with-modules=mod_readme:mod_auth_pam:mod_tls:mod
 +_ban:mod_shaper:mod_ifsession:mod_wrap
 +</code>
 +
 +Edit the /etc/proftpd.conf and add some simple BAN rules to keep the script kiddies at bay.
 +<code>
 +<IfModule mod_ban.c>
 +        BanEngine               on
 +        BanLog                  /var/log/proftpd/ban.log
 +        BanTable                /var/log/proftpd/ban.tab
 +        BanControlsACLs         all allow user root deny user Administrator
 +
 +        BanMessage              "Host %a has been banned"
 +# If a client reached the max login attempt twice in 12 seconds ban them
 +# Thats 6 failures in 12sec - thats a login attempt every 2sec !
 +        BanOnEvent              MaxLoginAttempts 2/00:00:12 99:99:99
 +# Configure a rule to automatically ban scripts looking for anonymous
 +# servers to which they can upload.  We don't do anonymous.
 +        BanOnEvent              AnonRejectPasswords 1/00:05:00 99:99:99
 +# Ban clients which connect too frequently.  This rule bans clients
 +# which connect more than 5 times within one minute.  Include a special
 +# message just for them.
 +        #BanOnEvent ClientConnectRate 5/00:01:00 04:00:00 "Stop connecting frequently"
 +</IfModule>
 +</code>
 +
 +However some times after the ban has expired the same script kiddie comes back for another attempt.  So this time we make sure they are permanently blocked from my network.
 +
 +Place this code into /usr/local/bin/mod_ban_deny.py and chmod 755
 +<code python>
 +#!/usr/bin/python
 +#
 +# Parse mod_ban LOGS and block permenatly those banned
 +
 +import re
 +
 +def parseIP(file):
 +        iplist = []
 +        for line in open(file).readlines():
 +                if len(line) == 0: continue
 +                x = re.search("\d+\.\d+\.\d+\.\d+", line)
 +                if x:
 +                        ip=x.group(0)
 +                        if not ip in iplist:
 +                                iplist.append(ip)
 +        return iplist
 +
 +banlist = parseIP("/var/log/proftpd/ban.log")
 +denylist = parseIP("/etc/hosts.deny")
 +
 +f = open("/etc/hosts.deny","a")
 +for ip in banlist:
 +        if not ip in denylist:
 +                f.write("ALL: %s\n" % ip)
 +f.close()
 +</code>
 +
 +Setup a crontab to scan the ban log file and convert these entries into hosts.deny blocks.
 +<code>
 +@daily /usr/local/bin/mod_ban_deny.py
 +</code>
 +
 +That should help you sleep at night.  Its interesting to note how quickly the /etc/hosts.deny file fills up with people attempting to break into your FTP server.  Now you are armed with a secret weapon their attempts are futile.
 +
 +Over time your /etc/hosts.deny file will accumulate blocked IP addresses as extracted from the ban.log file.
 +<code>
 +ALL: 218.15.143.174
 +ALL: 124.114.130.149
 +ALL: 158.49.50.139
 +ALL: 218.62.29.118
 +ALL: 202.4.119.35
 +</code>
 +
 +If you run the PROFTPD server in standalone mode then you will need some additional configuration options in the /etc/proftpd.conf configuration file.
 +<code>
 +<IfModule mod_wrap.c>
 +    TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
 +</IfModule>
 +</code>
 +
 +See also: http://www.aczoom.com/cms/blockhosts
 +
 +{{tag>network}}
  
  • blog/blocking_proftpd_banned_users_permenantly.txt
  • Last modified: 2009/11/27 17:53
  • by 127.0.0.1