Results 1 to 6 of 6

Thread: FTP Bruteforce Attempts

  1. #1
    Join Date
    Mar 2010
    Location
    Connecticut
    Beans
    52
    Distro
    Ubuntu 10.04 Lucid Lynx

    FTP Bruteforce Attempts

    So I check out my log files occassionally and those damn Chinese keep trying to bruteforce VSFTPD on my server. Any idea how to stop this? Its almost every day, and it just bothers me. The cryptographic strength of my password is very good, but still. Or is it just a reality that I have to deal with?

  2. #2
    Join Date
    Mar 2010
    Location
    Metro-ATL; PM free zone.
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: FTP Bruteforce Attempts

    Plain FTP is a terrible way to protect any files. Plain FTP should only be used when you want the entire world to see everything on the system.
    http://blog.jdpfu.com/2011/07/10/why...stop-using-ftp explains more. There are other places saying the same thing around the internet.

    Switch to using sftp and key-based authentication for any clients outside your LAN. Heck, key-based authentication from inside your LAN is more convenient too. Fantastic clients exist for every platform.

    With ssh/scp/sftp, the fail2ban tool will block them after you tell your router to listen on a non-standard port (anything but 22). Failures should automatically block future access for some period of time - 5 minutes, a day, a year. You decide.

    Here is an article http://blog.jdpfu.com/2011/08/23/sec...cking-failures about steps to secure ssh - which applies to sftp as well.

  3. #3
    hakermania's Avatar
    hakermania is offline Τώρα ξέρεις τι γράφω εδώ!
    Join Date
    Aug 2009
    Location
    Greece
    Beans
    1,704
    Distro
    Ubuntu Development Release

    Re: FTP Bruteforce Attempts

    I'd just change the default port that FTP uses

    This worked pretty well for me as for SSH brute forcing attempts!
    Website

    Wallch (Wallpaper Changer): Sourceforge | Launchpad

  4. #4
    Join Date
    Sep 2011
    Beans
    1,531

    Re: FTP Bruteforce Attempts

    Quote Originally Posted by shibby4555
    So I check out my log files occassionally and those damn Chinese keep trying to bruteforce VSFTPD on my server.
    Reminds me of my CYA motto: when in doubt, spoof a Chinese IP
    Quote Originally Posted by hakermania View Post
    I'd just change the default port that FTP uses

    This worked pretty well for me as for SSH brute forcing attempts!
    As long as you understand that changing ports alone won't actually make you any more secure. It will probably stop the automated bots because they're looking for default ports for the most part. But it doesn't make it any harder to find the FTP server.

    Change the port, use SFTP and key-based auth like TheFu recommended if you'd like to increase the security on your server as well as decrease log noise.

  5. #5
    Join Date
    Mar 2013
    Beans
    14

    Re: FTP Bruteforce Attempts

    A couple things that can be done.

    1. Ensure that are indeed using ssl with vsftpd, i.e, FTPS . If not, then do so immediately or like others suggested, use SFTP.
    2. Switching from the default FTP port helps hide from the automated bots that only check for certain common ports.
    3. Consider installing fail2ban. This will block the offending IP addresses that are attempting to brute force your ftp service. It works by monitoring log files, like the one at /var/log/auth.log, for failed log in attempts. If it detects multiple failed logged in attempts from a remote host, it creates an iptables rule to block that host.

  6. #6
    Join Date
    Oct 2005
    Location
    Al Ain
    Beans
    8,136

    Re: FTP Bruteforce Attempts

    Simple really. Iptables has a rate limit rule that you can use to limit new connections from the same IP address:

    # General new connection rate limiting for DOS and Brute Force protection
    iptables -I INPUT -p TCP -m state --state NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT

    This problem has been solved a decade ago, yet few people are aware of it, since no-one on these forums ever reads man pages.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •