Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Ban Pure-FTPd login attempts by IP after three failures Internet
I run an FTP server on my machine, using Pure-FTPd. Lately, I was getting a lot of noise in my logs about unknown people trying to gain access on my FTP server. I wanted to automate the task of looking through the log and banning the bad IPs, so that my logs will be kept clean from all those try/fails attempts.

What I came up with is a bash script executed as a launchd user daemon whenever the file /var/log/ftp.log is being modified. Parts of the code come from , and irc2samus on the #bash channel (IRC on freenode.net) made the rest.

I thought this might help others, too, so here's the code.

I put the following in /etc/autoban/ftp_ban.sh:
#!/bin/bash
# this script scans /var/log/ftp.log file for IPs that
# repeatedly try to connect the server without proper credentials
# and ban them after their 3rd fail, so we can have clean logs
#
export secure_log=/var/log/ftp.log
export log=/var/log/ftp_ban.log

function ban_host {
    rule_numbers=$(ipfw show | awk '{print $1}')
    lowest_rule=1
    lowest_rulet=$(printf %5.5i $lowest_rule);
    while [[ "$rule_numbers" =~ "${lowest_rulet}" ]]; do
        lowest_rule=$(( $lowest_rule + 1 ));
        lowest_rulet=$(printf %5.5i $lowest_rule);
    done
    # the actual banning happens here
    ipfw -q add $lowest_rule deny ip from $1 to any
    echo "$(date +'%D %T') : Banned $1">>"$log"
}
export -f ban_host

fgrep 'Authentication failed for user' "$secure_log" | while read line; do
    line=${line#*(\?@}; line=${line%)*}; echo $line;
done | sort | uniq -c | while read count suspected_host; do
    if ((count>3)); then
        ipfw show | fgrep "$suspected_host" | fgrep -q deny || ban_host "$suspected_host"
    fi
done
To make this script run automatically as a launchd user daemon, I used
Lingon, as explained on Sergei's page. In Lingon, create a new User Daemon and fill the form out like this:
  • In the first field, enter com.yourName.whatever.youWant
  • In the second field, point to the /etc/autoban/ftp_ban.sh script.
  • Finally, locate the field named Run if the file is Modified and choose /var/log/ftp.log
  • Skip everything else, and don't forget to click the Save button
Log out or restart, and you should be done.

[robg adds: I haven't tested this one.]
    •    
  • Currently 2.25 / 5
  You rated: 2 / 5 (20 votes cast)
 
[8,140 views]  

Ban Pure-FTPd login attempts by IP after three failures | 3 comments | Create New Account
Click here to return to the 'Ban Pure-FTPd login attempts by IP after three failures' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Ban Pure-FTPd login attempts by IP after three failures
Authored by: clusty on Nov 09, '09 03:03:21PM

a more elegant method would be to use the TCP wrappers, namely hosts.deny



[ Reply to This | # ]
Ban Pure-FTPd login attempts by IP after three failures
Authored by: photonyx on Nov 12, '09 09:27:48AM

That is true, hosts.deny would be more elegant. Does anyone know which way uses more resources - firewall or TCP wrapper?



[ Reply to This | # ]
Ban Pure-FTPd login attempts by IP after three failures
Authored by: pexner on Nov 13, '09 06:47:22AM

just a small question:

How to UN-ban an address using ipfw?
Syntax anyone?

Thanks in advance,

Patrick



[ Reply to This | # ]