Differences

This shows you the differences between two versions of the page.

Link to this comparison view

blog:blocking_proftpd_banned_users_permenantly [2009/11/27 17:53] (current)
Line 1: Line 1:
 +====== Blocking PROFTPD banned users permanently ======
 +
 +PROFTPD is a great FTP server. ​ However I found that once I had it running every man and his dog tried to brute force their way in.
 +
 +The mod_ban modules helped stop brute force attacks. ​ Check if the module is already compiled in.
 +<​code>​
 +# proftpd --list | fgrep mod_ban
 +  mod_ban.c
 +#
 +</​code>​
 +
 +If not you need to download the source and recompile it.  Here is the configuration that I used to compile on my Centos 5 distribution.
 +<​code>​
 +./configure --build=i686-redhat-linux-gnu --host=i686-redhat-linux-gnu --target=i386-redh
 +at-linux-gnu --program-prefix= --prefix=/​usr --exec-prefix=/​usr --bindir=/​usr/​bin --sbind
 +ir=/​usr/​sbin --sysconfdir=/​etc --datadir=/​usr/​share --includedir=/​usr/​include --libdir=/u
 +sr/lib --libexecdir=/​usr/​libexec --localstatedir=/​var --sharedstatedir=/​usr/​com --mandir=
 +/​usr/​share/​man --infodir=/​usr/​share/​info --libexecdir=/​usr/​libexec/​proftpd --localstatedi
 +r=/var/run --enable-ctrls --enable-dso --with-modules=mod_readme:​mod_auth_pam:​mod_tls:​mod
 +_ban:​mod_shaper:​mod_ifsession:​mod_wrap
 +</​code>​
 +
 +Edit the /​etc/​proftpd.conf and add some simple BAN rules to keep the script kiddies at bay.
 +<​code>​
 +<​IfModule mod_ban.c>​
 +        BanEngine ​              on
 +        BanLog ​                 /​var/​log/​proftpd/​ban.log
 +        BanTable ​               /​var/​log/​proftpd/​ban.tab
 +        BanControlsACLs ​        all allow user root deny user Administrator
 +
 +        BanMessage ​             "Host %a has been banned"​
 +# If a client reached the max login attempt twice in 12 seconds ban them
 +# Thats 6 failures in 12sec - thats a login attempt every 2sec !
 +        BanOnEvent ​             MaxLoginAttempts 2/00:00:12 99:99:99
 +# Configure a rule to automatically ban scripts looking for anonymous
 +# servers to which they can upload. ​ We don't do anonymous.
 +        BanOnEvent ​             AnonRejectPasswords 1/00:05:00 99:99:99
 +# Ban clients which connect too frequently. ​ This rule bans clients
 +# which connect more than 5 times within one minute. ​ Include a special
 +# message just for them.
 +        #BanOnEvent ClientConnectRate 5/00:01:00 04:00:00 "Stop connecting frequently"​
 +</​IfModule>​
 +</​code>​
 +
 +However some times after the ban has expired the same script kiddie comes back for another attempt. ​ So this time we make sure they are permanently blocked from my network.
 +
 +Place this code into /​usr/​local/​bin/​mod_ban_deny.py and chmod 755
 +<code python>
 +#​!/​usr/​bin/​python
 +#
 +# Parse mod_ban LOGS and block permenatly those banned
 +
 +import re
 +
 +def parseIP(file):​
 +        iplist = []
 +        for line in open(file).readlines():​
 +                if len(line) == 0: continue
 +                x = re.search("​\d+\.\d+\.\d+\.\d+",​ line)
 +                if x:
 +                        ip=x.group(0)
 +                        if not ip in iplist:
 +                                iplist.append(ip)
 +        return iplist
 +
 +banlist = parseIP("/​var/​log/​proftpd/​ban.log"​)
 +denylist = parseIP("/​etc/​hosts.deny"​)
 +
 +f = open("/​etc/​hosts.deny","​a"​)
 +for ip in banlist:
 +        if not ip in denylist:
 +                f.write("​ALL:​ %s\n" % ip)
 +f.close()
 +</​code>​
 +
 +Setup a crontab to scan the ban log file and convert these entries into hosts.deny blocks.
 +<​code>​
 +@daily /​usr/​local/​bin/​mod_ban_deny.py
 +</​code>​
 +
 +That should help you sleep at night. ​ Its interesting to note how quickly the /​etc/​hosts.deny file fills up with people attempting to break into your FTP server. ​ Now you are armed with a secret weapon their attempts are futile.
 +
 +Over time your /​etc/​hosts.deny file will accumulate blocked IP addresses as extracted from the ban.log file.
 +<​code>​
 +ALL: 218.15.143.174
 +ALL: 124.114.130.149
 +ALL: 158.49.50.139
 +ALL: 218.62.29.118
 +ALL: 202.4.119.35
 +</​code>​
 +
 +If you run the PROFTPD server in standalone mode then you will need some additional configuration options in the /​etc/​proftpd.conf configuration file.
 +<​code>​
 +<​IfModule mod_wrap.c>​
 +    TCPAccessFiles /​etc/​hosts.allow /​etc/​hosts.deny
 +</​IfModule>​
 +</​code>​
 +
 +See also: http://​www.aczoom.com/​cms/​blockhosts
 +
 +{{tag>​network}}