I have seen in recent times, there are lot of brute force login failure attempts being bombarded on my ftp server running FTP service on port 21.  Every minute or so, my log file shows hundreds of login failure attempts per hour, with every combination.  Ever since from then i have been on a search for some kind of IP address blocking application that would automatically block IPs doing these brute force attempts.

I most frequently have used Proftp (or) Pure-ftp server to run ftp service on port 21 along with CSF firewall.  I have often noticed that CSF firewall does not effectively block login attempts, if you are running Proftp server.

I have experimented with many linux ip blocking tools like denyhosts, fail2ban and both seem to work exclusively for SSH protection and not for FTP attacks.

One solution that worked for me is BFD tool (brute force detection tool), that comes with APF firewall. It can be configured to block many attacks including ftp and it works with ip tables, CSF firewall or APF firewall.

Installing BFD

To install BFD, just follow these steps

wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar zxf bfd-current.tar.gz

To install BFD, go to the bfd folder and run the install.sh file

./install.sh

and the BFD is installed in this path, by default.

Main executable —> /usr/local/bfd/bfd
BFD config file —> /usr/local/bfd/bfd/conf.bfd
BFD Rules for ftp —> /usr/local/bfd/rules/proftpd

BFD Configuration

Just open /usr/local/bfd/conf.bfd and make small changes to the file like how many number of failed attempts, and which firewall executable.

(i) Number of failure attempts

# how many failure events must an address have before being blocked?
# you can override this on a per rule basis in /usr/local/bfd/rules/
TRIG="5"

(ii) Set the BAN COMMAND executable

If you use want to use CSF firewall to block the IP address temporarily block IP for 600 seconds.

Note: If you remove the 600 (ttl time), the IP address will be banned permanently.

BAN_COMMAND="/usr/sbin/csf -d $ATTACK_HOST 600"

If you are using APF firewall use, this command

BAN_COMMAND="/usr/sbin/apf -d $ATTACK_HOST 600"

To use system route command, to drop the packet, use

BAN_COMMAND="route add -host $ATTACK_HOST reject"

If you are using IP tables, use this line

BAN_COMMAND= "iptables -A INPUT -s $ATTACK_HOST -j DROP"

Note: Be careful that you dont block your IP address, If you are unsure dont use the above IP table comand, and set the IP block to temporary.

Starting up BFD

To launch the BFD, use the following commands..

/usr/local/bfd/bfd -q  —> (quiet mode)
/usr/local/bfd/bfd -s —–> (standard with output)
/usr/local/bfd/bfd -a ——> (to list attacking hosts)

Finally, check your firewall deny file, whether the attacking IP address are listed properly.

/etc/csf/csf.deny
/etc/apf/apf.deny