Novell Home

Keeping your FTP Service to Yourself

Novell Cool Solutions: Tip
By Peter Frohlich

Digg This - Slashdot This

Posted: 11 Jul 2007
 

Problem:

Some nasty people out in the open internet find it amusing to try and hack your ssh/www/ftp service. You have chosen a secure login and password, but your logfile is getting crammed and you don't like that.

Solution:

There is a small python script named fail2ban. It keeps an eye on the specified logfile and logs failed login attempts. After a specified amount of failed attempts it uses iptables to ban the ip for a specified amount of time or runs a user defined command.

Example:

Christian Rauch offers rpm packages on his ftp server: I used version 0.8.0 which is available since 2007-05-03.

wget ftp://ftp.rauchs-home.de/suse/10.2/noarch/fail2ban-0.8.0-0.rauch.3.SuSE1020.noarch.rpm rpm -i fail2ban-0.8.0-0.rauch.3.SuSE1020.noarch.rpm

You'll find the additional download links on the official project page:
http://www.fail2ban.org/wiki/index.php/Main_Page

After installation, edit the two main config files with your favorite editor.

In the fail2ban.conf you'll find the logging configuration.

vi /etc/fail2ban/fail2ban.conf

In the jail.conf you'll find the definitions of the services you want to monitor. The file is commented very well, so there should be no problem finding the options you need.

Look especially at the options in the top of the file under [DEFAULT].

The "findtime", the length of time fail2ban remembers a login attempt, is with 10 minutes a bit long for my taste. So I change it to 1 minute:

findtime = 60

I want to monitor vsftpd, but I don't want to be informed when somebody has been banned. This happens far to often. So this is what my entry looks like:

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800 

Now I start fail2ban:

/etc/init.d/fail2ban start

Fail2ban now monitors the logfile from vsftpd. If someone tries to log in and fails 5 times in a row inside a 1 minute timeframe his (or her) ip address gets banned for 1800 seconds (30 minutes). That should be enough to discourage any bot.

You can monitor changes or debug you configuration by increasing the log level in the fail2ban.conf and listing the fail2ban logfile:

less +F /var/log/fail2ban.log

Happy banning!

Environment:

You need to have python 2.4 and iptables installed and should use syslog-ng as system logger.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell