| View previous topic :: View next topic |
| Author |
Message |
Bio
Apprentice
Joined: 17 Mar 2003
Posts: 197
Location: Geneva which should be in Switzerland...
|
 Posted: Mon Oct 15, 2007 1:54 pm Post subject: [pure-ftpd] being brute forced |
 |
|
Hello all,
So i have a pure-ftpd server that's been running for a few weeks and I noticed an increase in brute force attacks for the last few days. I experienced such attacks on my SSH server that i was able to secure with the denyhosts package and some sshd_config tweaking.
I'm wondering how i can protect my ftp server the same way i did SSH. Is there any built-in feature with pure-ftpd or can i use the denyhosts package.
I tried with denyhosts while i was being brute forced but nothing happened. In fact syslog-ng logged the FTP stuff in a ftp.log file. As my denyhosts.conf reads, denyhosts will look at the auth.log file, so I changed my syslog destination for FTP to write its logs into auth.log. I then restarted both syslog and denyhosts but the brute force attack kept happening. Am i missing something?
Relevant parts of my denyhost.conf :
| Code: |
SECURE_LOG = /var/log/syslog-ng/auth.log
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE = ALL
|
and my syslog-ng.conf
| Code: |
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination ftp { file("var/log/syslog-ng/auth.log"); };
filter f_ftp { level(info..warn) and facility(ftp); };
log { source(src); filter(f_ftp); destination(ftp); };
|
_________________
I'm all in ! |
|
| Back to top |
|
 |
n3bul4
Apprentice
Joined: 04 Nov 2003
Posts: 187
|
| Posted: Mon Oct 15, 2007 2:45 pm Post subject: |
|
|
I am not sure if you can do this with the denyhost package.
Maybe you should think about portsentry or another IDS.
regards. |
|
| Back to top |
|
|
vaguy02
Guru
Joined: 25 Feb 2005
Posts: 424
Location: Hopefully in one place
|
| Posted: Mon Oct 15, 2007 2:52 pm Post subject: |
|
|
I think fail2ban (in portage) can do brute force protection against ftp.
Robert
_________________
Linux Registered User #458185
Intel Quad-Core w/ 4gigs Ram w/ 8800 GTX - Windows 7 RC
2x (Intel Dual-Core w/ 2gigs Ram - Gentoo)
Mac G5 Dual-Core w/ 2gigs Ram - OS 10.5 |
|
| Back to top |
|
|
Bio
Apprentice
Joined: 17 Mar 2003
Posts: 197
Location: Geneva which should be in Switzerland...
|
| Posted: Mon Oct 15, 2007 6:31 pm Post subject: |
|
|
OK so I emerged fail2ban and tried to configure it.
here's my jail.conf action regarding pure-ftp
| Code: |
[pure-ftpd-iptables]
enabled = true
filter = pure-ftpd
action = hostsdeny[file=/etc/hosts.deny]
mail-whois[name=Pure-FTPD, dest=myemail@myprovider.com]
logpath = /var/log/syslog-ng/ftp.log
maxretry = 5
|
my action.d/hostsdeny.conf and filter.d/pure-ftpd.conf are untouched.
I launch fail2ban via the init.d script and shortly after i receive an email
| Code: |
Hi,
The IP 221.215.127.171 has just been banned by Fail2Ban after
50 attempts against Pure-FTPD.
|
grep 221.215.127.171 /etc/hosts.deny returns the following
| Code: |
ALL: 221.215.127.171
|
But doing a tail -f /var/log/syslog-ng/ftp.log shows that the bruteforce is still going on
| Code: |
Oct 15 20:13:42 localhost pure-ftpd: (?@221.215.127.171) [INFO] New connection from 221.215.127.171
Oct 15 20:13:44 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]
Oct 15 20:13:49 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]
Oct 15 20:13:58 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]
Oct 15 20:14:09 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]
Oct 15 20:14:24 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]
Oct 15 20:14:43 localhost pure-ftpd: (?@221.215.127.171) [INFO] New connection from 221.215.127.171
Oct 15 20:14:44 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]
Oct 15 20:14:49 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]
Oct 15 20:14:56 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]
Oct 15 20:15:06 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]
Oct 15 20:15:21 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]
|
Am i missing something, i'm totally new to fail2ban btw :p
_________________
I'm all in ! |
|
| Back to top |
|
|
vaguy02
Guru
Joined: 25 Feb 2005
Posts: 424
Location: Hopefully in one place
|
| Posted: Mon Oct 15, 2007 6:33 pm Post subject: |
|
|
I use fail2ban to add iptables rules, I've never used it to add to hosts.deny. Some applications don't check against hosts.deny from what I've heard, that may be wrong, that may be right, not sure, just what I've heard.
if you already have iptables on that box, I would suggest just using fail2ban to write iptables rules.
Robert
_________________
Linux Registered User #458185
Intel Quad-Core w/ 4gigs Ram w/ 8800 GTX - Windows 7 RC
2x (Intel Dual-Core w/ 2gigs Ram - Gentoo)
Mac G5 Dual-Core w/ 2gigs Ram - OS 10.5 |
|
| Back to top |
|
|
Cyker
Veteran
Joined: 15 Jun 2006
Posts: 1746
|
| Posted: Mon Oct 15, 2007 10:18 pm Post subject: |
|
|
Blocking stuff with hosts.deny only works if they have tcpwrappers support 
I think if you run them through inetd or xinetd. that would also work 'tho...?
I personally use SEC with custom rules... |
|
| Back to top |
|
|
|
Networking & Security
