How to enable mod_ban for ProFTPD in CentOS with DirectAdmin

How to enable mod_ban for proftpd in CentOS with DirectAdmin

Subject: Brute-Force Attack detected in service log from IP(s) 222.186.59.104 on User(s) admin, forums, perak, perakorg, [email protected] Today at 21:03
A brute force attack has been detected in one of your service logs.

IP 222.186.59.104 has 2975 failed login attempts: proftpd1=2859&proftpd2=114&proftpd3=2
User admin has 10034 failed login attempts: dovecot1=917&exim1=120&exim2=989&proftpd2=8008
User forums has 33136 failed login attempts: proftpd1=33136
User perak has 45184 failed login attempts: proftpd1=45184
User perakorg has 37478 failed login attempts: proftpd1=37478
User [email protected] has 5351 failed login attempts: exim2=122&proftpd1=5229

Check ‘Admin Level -> Brute Force Monitor’ for more information
http://help.directadmin.com/item.php?id=404

When you see this service log from your Linux Machine, you will hate it, and you will hate them. I hate this too, so I have to install mod_ban for proftpd to slow down their brute-force attack.

First I have to modify the custombuild in DirectAdmin and recompile it again

[[email protected]:~ ] $ vi /usr/local/directadmin/custombuild/configure/proftpd/configure.proftpd

Edit the file add the –enable-ctrls –with-modules=mod_ban

#!/bin/sh
install_user=ftp \
install_group=ftp \
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var/run \
--mandir=/usr/share/man \
--without-pam \
--disable-auth-pam \
--enable-nls \
--with-modules=mod_ratio:mod_readme:mod_tls \
--enable-ctrls --with-modules=mod_ban
LDFLAGS=-static

Then compile it again

cd /usr/local/directadmin/custombuild
./build clean
./build proftpd

After recompile, you can see the mod_ban.c and mod_ctrls.c

[[email protected]:/usr/local/directadmin/custombuild ] $ proftpd -l
Compiled-in modules:
mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_delay.c
mod_facts.c
mod_ident.c
mod_ban.c
mod_cap.c
mod_ctrls.c
mod_lang.c

So, we need to add the config to the /etc/proftpd.conf

[[email protected]:~ ] $ vi /etc/proftpd.conf

Paste like this into the /etc/proftpd.conf

<IfModule mod_ctrls.c>
    ControlsEngine        on
    ControlsACLs          all allow group root
    ControlsMaxClients    2
    ControlsLog           /var/log/proftpd/controls.log
    ControlsInterval      5
    ControlsSocket        /var/run/proftpd.sock
    ControlsSocketOwner   root root
    ControlsSocketACL     allow group root
  </IfModule>

  MaxLoginAttempts 1

  <IfModule mod_ban.c>
    BanEngine on
    BanLog /var/log/proftpd/ban.log
    BanTable /var/db/proftpd/ban.tab

    # If the same client reaches the MaxLoginAttempts limit 2 times
    # within 10 minutes, automatically add a ban for that client that
    # will expire after one hour.
    BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

    # Allow the FTP admin to manually add/remove bans
    BanControlsACLs all allow user root
  </IfModule>

After that set some path and files.

[[email protected]:/var/db ] $ mkdir /var/db/proftpd/
[[email protected]:/var/db ] $ touch /var/db/proftpd/ban.tab
[[email protected]:/var ] $ service proftpd restart
Shutting down proftpd: [ OK ]
Starting proftpd: [ OK ]

Feels that they are start working

tail /var/log/proftpd/ban.log

Mar 23 20:27:01 mod_ban/0.5.5[30104]: obtained shmid 3899394 for BanTable '/var/db/proftpd/ban.tab'
Mar 23 20:27:08 mod_ban/0.5.5[30128]: obtained shmid 3932162 for BanTable '/var/db/proftpd/ban.tab'
Mar 23 20:29:29 mod_ban/0.5.5[30650]: added ban event for MaxLoginAttempts
Mar 23 20:29:29 mod_ban/0.5.5[30651]: added MaxLoginAttempts-triggered autoban for host '222.186.59.104'
Mar 23 20:29:29 mod_ban/0.5.5[30651]: MaxLoginAttempts autoban threshold reached, ending session
Mar 23 20:29:29 mod_ban/0.5.5[30654]: login from host '222.186.59.104' denied due to host ban
Mar 23 20:29:29 mod_ban/0.5.5[30655]: login from host '222.186.59.104' denied due to host ban
Mar 23 20:32:22 mod_ban/0.5.5[31163]: obtained shmid 3964930 for BanTable '/var/db/proftpd/ban.tab'
Mar 23 20:33:39 mod_ban/0.5.5[31437]: added ban event for MaxLoginAttempts
Mar 23 20:33:41 mod_ban/0.5.5[31438]: added MaxLoginAttempts-triggered autoban for host '113.232.65.112'
Mar 23 20:33:41 mod_ban/0.5.5[31438]: MaxLoginAttempts autoban threshold reached, ending session
Mar 23 20:33:42 mod_ban/0.5.5[31456]: login from host '113.232.65.112' denied due to host ban
Mar 23 20:33:59 mod_ban/0.5.5[31528]: obtained shmid 3997698 for BanTable '/var/db/proftpd/ban.tab'
Mar 23 20:34:09 mod_ban/0.5.5[31583]: obtained shmid 4030466 for BanTable '/var/db/proftpd/ban.tab'

Mar 23 20:27:08 server proftpd[30129]: 210.5.45.243 - ProFTPD 1.3.3e (maint) (built Fri Mar 23 2012 20:18:46 MYT) standalone mode STARTUP
Mar 23 20:29:28 server proftpd[30650]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session opened.
Mar 23 20:29:28 server proftpd[30651]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session opened.
Mar 23 20:29:29 server proftpd[30650]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed.
Mar 23 20:29:29 server proftpd[30651]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed.
Mar 23 20:29:29 server proftpd[30654]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban/0.5.5: Login denied: host '222.186.59.104' banned
Mar 23 20:29:29 server proftpd[30654]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban.c: error initializing session: Permission denied
Mar 23 20:29:29 server proftpd[30654]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed.
Mar 23 20:29:29 server proftpd[30655]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban/0.5.5: Login denied: host '222.186.59.104' banned
Mar 23 20:29:29 server proftpd[30655]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban.c: error initializing session: Permission denied
Mar 23 20:29:29 server proftpd[30655]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed.

Try to check is the ftpdctl is working or not.

[[email protected]:/var/run ] $ ftpdctl -s /var/run/proftpd.sock -v
ftpdctl: contacting server using '/var/run/proftpd.sock'
ftpdctl: sending control request
ftpdctl: receiving control response
ftpdctl: error receiving response: Operation not permitted

[[email protected]:/var/run ] $ ftpdctl ban info
ftpdctl: No bans
[[email protected]:/var/run ] $ ftpdctl ban host gw.evil.com
ftpdctl: host gw.evil.com banned
[[email protected]:/var/run ] $ ftpdctl ban info
ftpdctl: Banned Hosts:
ftpdctl: 210.5.45.243

Finally, all will be fine.

Some of them may search for:

Stopping Brute Force Attacks,
how to stop brute force attack to proftpd,
Block Brute Force Attacks Against proftpd,
how to install mod_ban for Proftpd,
how to install mod_ban,
proftpd brute-force attack,
Preventing Brute Force Attacks,
Stopping Brute Force Attacks,
use mod_ban to stop brute force,