Blocking IP's from vsftp? Solved

Hydraulix · Guru Joined: 12 Dec 2003 Posts: 447

In my vsftp.log I'm seeing this...

wjholden · l33t Joined: 01 Mar 2004 Posts: 826 Location: Augusta, GA

After checking man 5 vsftpd.conf, I'm afraid VSFTPD doesn't contain a native method for blocking hosts. I would recommend reporting the offending IP address to your ISP and blocking it through a firewall such as IP tables.

Hydraulix · Guru Joined: 12 Dec 2003 Posts: 447

expat_iain · Guru Joined: 09 Jan 2004 Posts: 361 Location: Malta GC

wjholden · l33t Joined: 01 Mar 2004 Posts: 826 Location: Augusta, GA

How do you like this? I felt like coding something, so I wrote a program to run through the logfile and block people with too many failed logins. If you like it, save it to block.pl (or whatever), "chmod u+x block.pl", and then "./block.pl" to execute. You could then put it in your cron daemon if you really like it.
Have fun. If you find any bugs or want an extra feature tell me and I'll see what I can do.

Hydraulix · Guru Joined: 12 Dec 2003 Posts: 447

wjholden · l33t Joined: 01 Mar 2004 Posts: 826 Location: Augusta, GA

I just hope it works...I have had "xferlog_std_format=YES" in my VSFTPD configuration for a year and a half. Too late to change now

Plus I don't have IP Tables installed on this box. What I'm trying to say is, that code hasn't been tested much (it compiles, it runs, it should work), so if you run into any problems at all I'll be glad to work on it.

Hydraulix · Guru Joined: 12 Dec 2003 Posts: 447

JROCK2004 · Guru Joined: 02 Mar 2004 Posts: 450 Location: PA

is there a different way then iptables

Growlizing · Tux's lil' helper Joined: 25 Jul 2005 Posts: 94

Could you post your failregex for fail2ban please? Would be very much appreciated

_________________
Is this where I write something clever?

zendmaster · Posted: Mon Apr 09, 2007 6:45 pm Post subject:

I know this is an older thread, but I was just working on this. I had trouble getting fail2ban to work for vsftpd. Thought I would post how I got it to work since I couldn't find it in these forums.

First I had to go into my kernel configuration and turn on iptables. That was the easy part. The hard part was finding a failregex for vsftpd. I finally found one that worked. It is:

TauRush · n00b Joined: 07 May 2007 Posts: 1

I was looking for a script to stop those ftp attacks some time ago and finally found this forum.
Although I am not using Gentoo (but Fedora) I gave the script of destuxor a try.
After fixing some small issues and adding a permanent banlist, I have it working at home and at the office for some time now.
I am running the script every 2 minutes through a cronjob, to keep the amount of attacks small and also my logfiles don't overflow.

Thanks to destuxor for the initial setup of the script.

Here is my adjusted script for all to use.

wjholden · l33t Joined: 01 Mar 2004 Posts: 826 Location: Augusta, GA

So I was googling my own name and ran across this. If anyone is using this script it may be useful to see what others have done with it:
http://ubuntuforums.org/archive/index.php/t-428806.html.
http://www.nslu2-linux.org/wiki/HowTo/SetupIPBlockingOnVSFTPD

jeffrehley · n00b Joined: 23 May 2010 Posts: 1

I added a bit to ban failed login attempts as well...

#!/usr/bin/perl -w
# destuxor (wjholden@gmail.com) - 4/26/2006
# TauRush (snakesandarrows@gmail.com) - 3/17/2007
# jeffrehley (jeffrehley@hotmail.com) - 5/21/2010 - look for failed attempts in auth.log as well
# A simple script to go through a VSFTPD log and block people who have
# unsuccessfully attempted to log in.

#configuration options:
$logfilename1 = '/var/log/vsftpd.log'; # location of ftp logfile.
$logfilename2 = '/var/log/auth.log '; # location of auth logfile.

$allow_exceptions = 1; # if you wish to specify a file to put exceptions into,
# say 1 here, otherwise put 0.

$exception_file = '/var/log/banned.log'; # if you said 1 above, put your filename here.

$max_failures = 5; # maximum number of failures someone can have before
# getting blocked.
#end of configuration options

$command1 = 'grep \'FAIL LOGIN\' '.$logfilename1.' | sed -r \'s/^.{0,}Client .//\' | sed -r \'s/\"//\' | uniq -c';
$command2 = 'grep \'Failed password for invalid user\' '.$logfilename2.' | cut -f 4 -d: | awk \'{print $8}\' | uniq -c';
$command3 = 'grep \'Failed password for root\' '.$logfilename2.' | cut -f 4 -d: | awk \'{print $6}\' | uniq -c';

@connected_ips1 = `$command1`;
@connected_ips2 = `$command2`;
@connected_ips3 = `$command3`;

push (@connected_ips,@connected_ips1);
push (@connected_ips,@connected_ips2);
push (@connected_ips,@connected_ips3);

#print @connected_ips;

undef %noblock;
if ($allow_exceptions == 1) {
open (FH, $exception_file) or die "$!\n";
@exceptions = <FH>;
close (FH);
}

foreach $ip (@exceptions) {
# Added by TauRush to chop LF character
chop ($ip);
$noblock{"$ip"} = 1;
}

foreach $host (@connected_ips)
{
@info = split(/\s+/, $host);

if (($info[1] > $max_failures) and !$noblock{$info[2]}) {
system("iptables -I INPUT 1 -s $info[2] -j DROP");
# 3 lines added by TauRush to create banned.log file
open FILE,">>$exception_file" or die "Unable to open file!\n";
print FILE "$info[2]\n";
close FILE;
}
}