Prevent FTP Brute Force Attacks

How to prevent FTP Brute Force Attacks from bots on Linux ftp server at port 21.

Yes It is Possible with BFD tool (brute force detection tool), that comes with APF firewall.

It can be configured to block many attacks including ftp and it works with ip tables, CSF firewall or APF firewall.

Installing BFD on Linux

To install BFD, just follow these steps
Download bfd with below wget command and link.

wget http://www.rfxn.com/downloads/bfd-current.tar.gz

--2015-12-21 14:26:51--  http://www.rfxn.com/downloads/bfd-current.tar.gz
Resolving www.rfxn.com (www.rfxn.com)... 129.121.132.46
Connecting to www.rfxn.com (www.rfxn.com)|129.121.132.46|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21541 (21K) [application/x-gzip]
Saving to: ‘bfd-current.tar.gz’

bfd-current.tar.gz   100%[=========================================================================================================>]  21.04K  54.0KB/s   in 0.4s   

2015-12-21 14:26:54 (54.0 KB/s) - ‘bfd-current.tar.gz’ saved [21541/21541]

Then Extract “bfd-current.tar.gz”

tar -zxf bfd-current.tar.gz

After extract, go to the bfd folder

cd bfd-1.5-2/

and run the install.sh file

./install.sh

and the BFD is installed in this path, by default.

Main executable —> /usr/local/bfd/bfd
BFD config file —> /usr/local/bfd/bfd/conf.bfd
BFD Rules for ftp —> /usr/local/bfd/rules/proftpd

BFD Configuration

Just open /usr/local/bfd/conf.bfd and make small changes to the file like how many number of failed attempts, and which firewall executable.

vi /usr/local/bfd/conf.bfd

#!/bin/bash
#
# BFD 1.5-2 <bfd@rfxn.com>
# Copyright (C) 1999-2014, R-fx Networks <proj@r-fx.org>
# Copyright (C) 2014, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL
#
# NOTE: This file should be edited with word/line wrapping off,
#       if your using pico please start it with the -w switch.
#       (e.g: pico -w filename)
#

# how many failure events must an address have before being blocked?
# you can override this on a per rule basis in /usr/local/bfd/rules/
TRIG="5"

# send email alerts for all events [0 = off; 1 = on]
EMAIL_ALERTS="1"

# local user or email address alerts are sent to (separate multiple with comma)
EMAIL_ADDRESS="webmaster@sudoadmin.com"

# subject of email alerts
EMAIL_SUBJECT="Brute Force Warning for $HOSTNAME"

# executable command to block attacking hosts
#BAN_COMMAND="/etc/apf/apf -d $ATTACK_HOST {bfd.$MOD}"
BAN_COMMAND= "iptables -A INPUT -s $ATTACK_HOST -j DROP"
######
# You should not need to edit any options below this line
######

# installation path
INSTALL_PATH="/usr/local/bfd"

# rule files path
RULES_PATH="$INSTALL_PATH/rules"

# track log script path
TLOG_PATH="$INSTALL_PATH/tlog"

# syslog kernel log path
KERNEL_LOG_PATH="/var/log/messages"

# syslog auth log path
AUTH_LOG_PATH="/var/log/secure"

# bfd application log path
BFD_LOG_PATH="/var/log/bfd_log"

# log all events to syslog [0 = off; 1 = on]
OUTPUT_SYSLOG="1"

# log file path for syslog logging
OUTPUT_SYSLOG_FILE="$KERNEL_LOG_PATH"

# template of the email message body
EMAIL_TEMPLATE="$INSTALL_PATH/alert.bfd"

# contains list of files to search for addresses that are excluded from bans
IGNORE_HOST_FILES="$INSTALL_PATH/exclude.files"

# grab the local time zone
TIME_ZONE=`date +"%z"`

# grab the local unix time
TIME_UNIX=`date +"%s"`

# lock file path
LOCK_FILE="$INSTALL_PATH/lock.utime"

# lock file timeout
LOCK_FILE_TIMEOUT="300"

(i) Number of failure attempts

# how many failure events must an address have before being blocked?
# you can override this on a per rule basis in /usr/local/bfd/rules/
TRIG=”5″

(ii) Set the BAN COMMAND executable
 If you use want to use CSF firewall to block the IP address temporarily block IP for 600 seconds.
 Note: If you remove the 600 (ttl time), the IP address will be banned permanently.
 BAN_COMMAND=”/usr/sbin/csf -d $ATTACK_HOST 600″
 If you are using APF firewall use, this command
 BAN_COMMAND=”/usr/sbin/apf -d $ATTACK_HOST 600″
 To use system route command, to drop the packet, use
 BAN_COMMAND=”route add -host $ATTACK_HOST reject”
 If you are using IP tables, use this line
 BAN_COMMAND= “iptables -A INPUT -s $ATTACK_HOST -j DROP”
 Note: Be careful that you dont block your IP address, If you are unsure dont use the above IP table comand, and set the IP block to temporary.

Starting up BFD

To launch the BFD, use the following commands..

——> (quiet mode)

/usr/local/bfd/bfd -q

—–> (standard with output)

/usr/local/bfd/bfd -s

——> (to list attacking hosts)

/usr/local/bfd/bfd -a

Finally, check your firewall deny file,
whether the attacking IP address are listed properly.

cat /etc/csf/csf.deny

cat /etc/apf/apf.deny

Was this article helpful? [ratings] You have any suggestions or question feel free to ask in comment.

Author: Hitesh Satarkar

Hitesh Satarkar currently working as a Linux/Unix administrator. But I also play Windows both in server and desktop area. Interested in information technology, information security and writing. View all posts by Hitesh Satarkar