Prevent FTP Brute Force Attacks
Prevent FTP Brute Force Attacks
[ratings]How to prevent FTP Brute Force Attacks from bots on Linux ftp server at port 21.
Yes It is Possible with BFD tool (brute force detection tool), that comes with APF firewall.
It can be configured to block many attacks including ftp and it works with ip tables, CSF firewall or APF firewall.
Installing BFD on Linux
To install BFD, just follow these steps
Download bfd with below wget command and link.
wget http://www.rfxn.com/downloads/bfd-current.tar.gz --2015-12-21 14:26:51-- http://www.rfxn.com/downloads/bfd-current.tar.gz Resolving www.rfxn.com (www.rfxn.com)... 129.121.132.46 Connecting to www.rfxn.com (www.rfxn.com)|129.121.132.46|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 21541 (21K) [application/x-gzip] Saving to: ‘bfd-current.tar.gz’ bfd-current.tar.gz 100%[=========================================================================================================>] 21.04K 54.0KB/s in 0.4s 2015-12-21 14:26:54 (54.0 KB/s) - ‘bfd-current.tar.gz’ saved [21541/21541]
Then Extract “bfd-current.tar.gz”
tar -zxf bfd-current.tar.gz
After extract, go to the bfd folder
cd bfd-1.5-2/
and run the install.sh file
./install.sh
and the BFD is installed in this path, by default.
Main executable —> /usr/local/bfd/bfd BFD config file —> /usr/local/bfd/bfd/conf.bfd BFD Rules for ftp —> /usr/local/bfd/rules/proftpd
BFD Configuration
Just open /usr/local/bfd/conf.bfd and make small changes to the file like how many number of failed attempts, and which firewall executable.
vi /usr/local/bfd/conf.bfd
#!/bin/bash # # BFD 1.5-2 <bfd@rfxn.com> # Copyright (C) 1999-2014, R-fx Networks <proj@r-fx.org> # Copyright (C) 2014, Ryan MacDonald <ryan@r-fx.org> # This program may be freely redistributed under the terms of the GNU GPL # # NOTE: This file should be edited with word/line wrapping off, # if your using pico please start it with the -w switch. # (e.g: pico -w filename) # # how many failure events must an address have before being blocked? # you can override this on a per rule basis in /usr/local/bfd/rules/ TRIG="5" # send email alerts for all events [0 = off; 1 = on] EMAIL_ALERTS="1" # local user or email address alerts are sent to (separate multiple with comma) EMAIL_ADDRESS="webmaster@sudoadmin.com" # subject of email alerts EMAIL_SUBJECT="Brute Force Warning for $HOSTNAME" # executable command to block attacking hosts #BAN_COMMAND="/etc/apf/apf -d $ATTACK_HOST {bfd.$MOD}" BAN_COMMAND= "iptables -A INPUT -s $ATTACK_HOST -j DROP" ###### # You should not need to edit any options below this line ###### # installation path INSTALL_PATH="/usr/local/bfd" # rule files path RULES_PATH="$INSTALL_PATH/rules" # track log script path TLOG_PATH="$INSTALL_PATH/tlog" # syslog kernel log path KERNEL_LOG_PATH="/var/log/messages" # syslog auth log path AUTH_LOG_PATH="/var/log/secure" # bfd application log path BFD_LOG_PATH="/var/log/bfd_log" # log all events to syslog [0 = off; 1 = on] OUTPUT_SYSLOG="1" # log file path for syslog logging OUTPUT_SYSLOG_FILE="$KERNEL_LOG_PATH" # template of the email message body EMAIL_TEMPLATE="$INSTALL_PATH/alert.bfd" # contains list of files to search for addresses that are excluded from bans IGNORE_HOST_FILES="$INSTALL_PATH/exclude.files" # grab the local time zone TIME_ZONE=`date +"%z"` # grab the local unix time TIME_UNIX=`date +"%s"` # lock file path LOCK_FILE="$INSTALL_PATH/lock.utime" # lock file timeout LOCK_FILE_TIMEOUT="300"
(i) Number of failure attempts
# how many failure events must an address have before being blocked?
# you can override this on a per rule basis in /usr/local/bfd/rules/
TRIG=”5″
(ii) Set the BAN COMMAND executable If you use want to use CSF firewall to block the IP address temporarily block IP for 600 seconds. Note: If you remove the 600 (ttl time), the IP address will be banned permanently. BAN_COMMAND=”/usr/sbin/csf -d $ATTACK_HOST 600″ If you are using APF firewall use, this command BAN_COMMAND=”/usr/sbin/apf -d $ATTACK_HOST 600″ To use system route command, to drop the packet, use BAN_COMMAND=”route add -host $ATTACK_HOST reject” If you are using IP tables, use this line BAN_COMMAND= “iptables -A INPUT -s $ATTACK_HOST -j DROP” Note: Be careful that you dont block your IP address, If you are unsure dont use the above IP table comand, and set the IP block to temporary.
Starting up BFD
To launch the BFD, use the following commands..
——> (quiet mode)
/usr/local/bfd/bfd -q
—–> (standard with output)
/usr/local/bfd/bfd -s
——> (to list attacking hosts)
/usr/local/bfd/bfd -a
Finally, check your firewall deny file,
whether the attacking IP address are listed properly.
cat /etc/csf/csf.deny
cat /etc/apf/apf.deny
Was this article helpful? [ratings] You have any suggestions or question feel free to ask in comment.
Leave a Reply