Blocking FTP Hacking Attempts
1. Sensible first steps
Disable FTP
Firstly, do you really need to be running an FTP server? If not, turn it off and block the relevant ports. For example, using iptables:
/sbin/iptables -A INPUT -p tcp --match multiport --dports ftp,ftp-data -j DROP
In any case you almost certainly want to disable anonymous FTP connections. For one thing Googlebot has a nasty habit of exploring anonymous ftp which could result in the wrong files being exposed.
Limit access to FTP
If you do need to allow FTP then can you restrict access to specific ip addresses within your local network or a clients network? If so you should set up a white-list.
This can be enabled using /etc/proftpd/proftpd.conf as shown below – including one or moreAllow clauses to identify from where you want to allow FTP access:
<Limit LOGIN> # single ip address example Allow from 192.168.0.1 # multiple ip addresses example Allow from 192.168.0.1 10.30.124.6 # subnet example Allow from 192.168.0.0/16 # hostname example Allow from example.net DenyAll </Limit>
The final DenyAll prevents the rest of the world from being able to connect. If you’re running ftp viainetd then the changes take effect immediately. Otherwise you will need to restart your FTP server.
Make logins harder to guess
Most FTP hacking attempts are automated so rely on guessing both the username and the password. For example, if your domain name is www.example.net the hacking script will try « example
« , « examplenet
« , « admin@example.net
« , « webmaster@example.net
» and so on. Generic usernames including « admin
« , « www
« , « data
» and « test
» are also being tried.
If the script is unable to guess a valid username then it will not be able to try any passwords. You should ensure your FTP usernames are not predictable in any way from the domain name – by appending some random letters or digits for example.
Hackers are also equipped with dictionaries and large databases of exposed username/password combinations from previously exploited servers. So make sure your passwords, not just for FTP, are long and complicated and don’t match common patterns.
2. Dynamically blocking login attempts
The Fail2Ban program can be used to detect failed login attempts and automatically block the source ip address for a period of time. With Fail2Ban installed, we can enable this as follows.
Enable the jail in /etc/fail2ban/jail.conf:
[proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 5 bantime = 3600
Define the regular expression to look for in /etc/fail2ban/filter.d/proftpd.conf:
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$ \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): .*$ \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$ \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
With the above configuration any ip address responsible for 5 or more failed FTP login attempts – any logfile entries matching the above regular expressions – will be ‘jailed’ for a period of 1 hour. You can change these values to require less failed login attempts or to make the jailing last longer.