Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i was wondering if it's possible to add iptables rules based on unsuccessful logins to the ftp server.
for example, i'm running proftp, and the account to access my ftp site is NOT 'ftp'. so i have a lot of sessions opened and closed, but no successful logins. there's only a few people that i want to have access to my site, but their ip doesnt stay the same. so i want to be able to look at the logs, and when it sees a connection opened, then closed with no success, it adds the ip as an iptable rule.
Most likely, once they have been denied, users will go away. Do you see a pattern of the same IP(s) banging on your door? (5+ unsuccessful logins from same IP)
there's been a few multiple attempts from the same ip, and there's been attempts from different ip's that were just seconds or minutes apart (which is not common since i see about 1 attempt every 3 or 4 days.
but besides that, ive actually been wondrering about how to do this for a while. is there another forum i should try it, maybe one more geared towards scripting ?
I don't know the log format of the proftp logs, but I imagine writing such a script would be trivial. If you post some of the log output (so I can see the format), I'd be glad to work something up for you.
Apr 27 13:16:13 server proftpd[3178] localhost (220.66.108.21[220.66.108.21]): FTP session opened.
Apr 27 13:16:13 server proftpd[3178] localhost (220.66.108.21[220.66.108.21]): FTP session closed.
Apr 27 13:18:34 server proftpd[3266] localhost (220.66.108.21[220.66.108.21]): FTP session opened.
Apr 27 13:18:34 server proftpd[3266] localhost (220.66.108.21[220.66.108.21]): FTP session closed.
Apr 27 14:16:23 server proftpd[3923] localhost (211.107.232.1[211.107.232.1]): FTP session opened.
Apr 27 14:16:23 server proftpd[3923] localhost (211.107.232.1[211.107.232.1]): FTP session closed.
Apr 28 18:34:19 server proftpd[25010] localhost (192.168.0.101[192.168.0.101]): USER ftp (Login failed): Incorrect password.
Apr 28 18:34:22 server proftpd[25010] localhost (192.168.0.101[192.168.0.101]): USER ftp (Login failed): Incorrect password.
Apr 28 18:34:25 server proftpd[25010] localhost (192.168.0.101[192.168.0.101]): USER ftp (Login failed): Incorrect password.
Apr 28 18:34:25 server proftpd[25010] localhost (192.168.0.101[192.168.0.101]): Maximum login attempts (3) exceeded
Apr 28 18:34:25 server proftpd[25010] localhost (192.168.0.101[192.168.0.101]): FTP session closed.
Apr 28 18:35:07 server proftpd[25021] localhost (192.168.0.101[192.168.0.101]): FTP session opened.
Apr 28 18:35:07 server proftpd[25021] localhost (192.168.0.101[192.168.0.101]): USER ftp (Login failed): Incorrect password.
Apr 28 18:35:09 server proftpd[25021] localhost (192.168.0.101[192.168.0.101]): FTP session closed.
there's a few things id like to do. i'd like to drop packets coming from the ip when it sees a session opened and closed, even without a login attempt, as well as sessions where they try entering a username that's incorrect.
anytime there's a session opened and closed right away, id like that ip added to iptables just so they don't see that there's a server running and decide to come back later for a crack at it.
thanks again
for the ones that don't try a name, i was thinking it could search for the "session opened", then look ahead and if the next line says "session closed" then that's an ip that would be added to iptables.
in the case that they try a user name that's invalid, it could have the script look at the word after USER, and if it isnt a valid username, then ban that one too, or even if it's "ftp", since that's the default ftp username.
Apr 23 17:14:52 server proftpd[32078] localhost (192.168.0.101[192.168.0.101]): FTP session opened.
Apr 23 17:14:52 server proftpd[32078] localhost (192.168.0.101[192.168.0.101]): USER ftpuser: Login successful.
Apr 23 17:15:12 server proftpd[32078] localhost (192.168.0.101[192.168.0.101]): FTP session closed.
that's what it looks like if the user logs in successfully and logs out. if a user logs in and transfers a file and then logs out, it still looks the same.
Here is a perl script I wrote that parses my apache logs and bans ips that are screwing around (edited for brevity). I run it as an hourly cron task. It requires you create a user-defined chain which I call 'banned' with default policy set to drop. Perhaps you can edit it to suit your purposes:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.