Detecting multiple failed login attempts and banning ip?

antis · 09-22-2007, 07:40 AM

Hi,

On my personal server I sometimes see people trying to sort of bruteforce their way into my ftp server (vsftp by the way). I see ~15 lines in auth.log where the same ip tries to log in with user name "Administrator" before they leave.

This isn't all that bad but what if they keep on trying without me stopping them...?

Is there a way to catch this behaviour and limit the number of failed log in attempts within a certain time span?

I have been thinking about writing a script of my own to poll auth.log for these events and put suspious ip's in hosts.deny but I don't know if it would be a good idea as the script would need to check the file quite often, say every 5 seconds or so.

But most important, before I try this I want to be sure that I'm not re-inventing the wheel

So, is there a way to monitor failed log in attempts and banning ip's?

acid_kewpie · 09-22-2007, 09:22 AM

check out fail2ban, should be exactly what you're after. http://www.fail2ban.org/wiki/index.php/Vsftpd

antis · 09-23-2007, 09:18 AM

Thanks, that is indeed exactly what I am looking for. In fact it's almost too exact really, beacuse it looks like the idea behind it is the same that I had in mind.

I'm going to remember fail2ban in case I fail to do this on my own. I think it can be a fun little project to work on and hopfully I'll learn a few new things.

AlucardZero · 09-23-2007, 09:59 AM

also check out DenyHosts

mlnutt · 09-25-2007, 11:25 AM

Also, check out "daemonshield."