Skip to content
Justin.my
  • Games
  • iPhone
  • Android
  • Photos
  • Linux
  • Search
  • Home
  • 2012
  • March
  • How to enable mod_ban for ProFTPD in CentOS with DirectAdmin

How to enable mod ban for proftp in CentOS with Directadmin

How to enable mod_ban for ProFTPD in CentOS with DirectAdmin

March 23, 2012 March 23, 2012 / By Justin Soo / Linux, Security

How to enable mod_ban for proftpd in CentOS with DirectAdmin

Subject: Brute-Force Attack detected in service log from IP(s) 222.186.59.104 on User(s) admin, forums, perak, perakorg, [email protected] Today at 21:03
A brute force attack has been detected in one of your service logs.

IP 222.186.59.104 has 2975 failed login attempts: proftpd1=2859&proftpd2=114&proftpd3=2
User admin has 10034 failed login attempts: dovecot1=917&exim1=120&exim2=989&proftpd2=8008
User forums has 33136 failed login attempts: proftpd1=33136
User perak has 45184 failed login attempts: proftpd1=45184
User perakorg has 37478 failed login attempts: proftpd1=37478
User [email protected] has 5351 failed login attempts: exim2=122&proftpd1=5229

Check ‘Admin Level -> Brute Force Monitor’ for more information
http://help.directadmin.com/item.php?id=404


When you see this service log from your Linux Machine, you will hate it, and you will hate them. I hate this too, so I have to install mod_ban for proftpd to slow down their brute-force attack.

First I have to modify the custombuild in DirectAdmin and recompile it again

[[email protected]:~ ] $ vi /usr/local/directadmin/custombuild/configure/proftpd/configure.proftpd

Edit the file add the –enable-ctrls –with-modules=mod_ban

#!/bin/sh
install_user=ftp \
install_group=ftp \
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var/run \
--mandir=/usr/share/man \
--without-pam \
--disable-auth-pam \
--enable-nls \
--with-modules=mod_ratio:mod_readme:mod_tls \
--enable-ctrls --with-modules=mod_ban
LDFLAGS=-static

Then compile it again

cd /usr/local/directadmin/custombuild
./build clean
./build proftpd

After recompile, you can see the mod_ban.c and mod_ctrls.c

[[email protected]:/usr/local/directadmin/custombuild ] $ proftpd -l
Compiled-in modules:
mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_delay.c
mod_facts.c
mod_ident.c
mod_ban.c
mod_cap.c
mod_ctrls.c
mod_lang.c

So, we need to add the config to the /etc/proftpd.conf

[[email protected]:~ ] $ vi /etc/proftpd.conf

Paste like this into the /etc/proftpd.conf

 

<IfModule mod_ctrls.c>
    ControlsEngine        on
    ControlsACLs          all allow group root
    ControlsMaxClients    2
    ControlsLog           /var/log/proftpd/controls.log
    ControlsInterval      5
    ControlsSocket        /var/run/proftpd.sock
    ControlsSocketOwner   root root
    ControlsSocketACL     allow group root
  </IfModule>

  MaxLoginAttempts 1

  <IfModule mod_ban.c>
    BanEngine on
    BanLog /var/log/proftpd/ban.log
    BanTable /var/db/proftpd/ban.tab

    # If the same client reaches the MaxLoginAttempts limit 2 times
    # within 10 minutes, automatically add a ban for that client that
    # will expire after one hour.
    BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

    # Allow the FTP admin to manually add/remove bans
    BanControlsACLs all allow user root
  </IfModule>

After that set some path and files.

 

[[email protected]:/var/db ] $ mkdir /var/db/proftpd/
[[email protected]:/var/db ] $ touch /var/db/proftpd/ban.tab
[[email protected]:/var ] $ service proftpd restart
Shutting down proftpd: [ OK ]
Starting proftpd: [ OK ]


Feels that they are start working

tail /var/log/proftpd/ban.log

Mar 23 20:27:01 mod_ban/0.5.5[30104]: obtained shmid 3899394 for BanTable '/var/db/proftpd/ban.tab'
Mar 23 20:27:08 mod_ban/0.5.5[30128]: obtained shmid 3932162 for BanTable '/var/db/proftpd/ban.tab'
Mar 23 20:29:29 mod_ban/0.5.5[30650]: added ban event for MaxLoginAttempts
Mar 23 20:29:29 mod_ban/0.5.5[30651]: added MaxLoginAttempts-triggered autoban for host '222.186.59.104'
Mar 23 20:29:29 mod_ban/0.5.5[30651]: MaxLoginAttempts autoban threshold reached, ending session
Mar 23 20:29:29 mod_ban/0.5.5[30654]: login from host '222.186.59.104' denied due to host ban
Mar 23 20:29:29 mod_ban/0.5.5[30655]: login from host '222.186.59.104' denied due to host ban
Mar 23 20:32:22 mod_ban/0.5.5[31163]: obtained shmid 3964930 for BanTable '/var/db/proftpd/ban.tab'
Mar 23 20:33:39 mod_ban/0.5.5[31437]: added ban event for MaxLoginAttempts
Mar 23 20:33:41 mod_ban/0.5.5[31438]: added MaxLoginAttempts-triggered autoban for host '113.232.65.112'
Mar 23 20:33:41 mod_ban/0.5.5[31438]: MaxLoginAttempts autoban threshold reached, ending session
Mar 23 20:33:42 mod_ban/0.5.5[31456]: login from host '113.232.65.112' denied due to host ban
Mar 23 20:33:59 mod_ban/0.5.5[31528]: obtained shmid 3997698 for BanTable '/var/db/proftpd/ban.tab'
Mar 23 20:34:09 mod_ban/0.5.5[31583]: obtained shmid 4030466 for BanTable '/var/db/proftpd/ban.tab'

Mar 23 20:27:08 server proftpd[30129]: 210.5.45.243 - ProFTPD 1.3.3e (maint) (built Fri Mar 23 2012 20:18:46 MYT) standalone mode STARTUP
Mar 23 20:29:28 server proftpd[30650]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session opened.
Mar 23 20:29:28 server proftpd[30651]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session opened.
Mar 23 20:29:29 server proftpd[30650]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed.
Mar 23 20:29:29 server proftpd[30651]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed.
Mar 23 20:29:29 server proftpd[30654]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban/0.5.5: Login denied: host '222.186.59.104' banned
Mar 23 20:29:29 server proftpd[30654]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban.c: error initializing session: Permission denied
Mar 23 20:29:29 server proftpd[30654]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed.
Mar 23 20:29:29 server proftpd[30655]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban/0.5.5: Login denied: host '222.186.59.104' banned
Mar 23 20:29:29 server proftpd[30655]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban.c: error initializing session: Permission denied
Mar 23 20:29:29 server proftpd[30655]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed.

Try to check is the ftpdctl is working or not.

[[email protected]:/var/run ] $ ftpdctl -s /var/run/proftpd.sock -v
ftpdctl: contacting server using '/var/run/proftpd.sock'
ftpdctl: sending control request
ftpdctl: receiving control response
ftpdctl: error receiving response: Operation not permitted

[[email protected]:/var/run ] $ ftpdctl ban info
ftpdctl: No bans
[[email protected]:/var/run ] $ ftpdctl ban host gw.evil.com
ftpdctl: host gw.evil.com banned
[[email protected]:/var/run ] $ ftpdctl ban info
ftpdctl: Banned Hosts:
ftpdctl: 210.5.45.243

Finally, all will be fine.

 

How to enable mod ban for proftp in CentOS with Directadmin

Some of them may search for:

Stopping Brute Force Attacks,
how to stop brute force attack to proftpd,
Block Brute Force Attacks Against proftpd,
how to install mod_ban for Proftpd,
how to install mod_ban,
proftpd brute-force attack,
Preventing Brute Force Attacks,
Stopping Brute Force Attacks,
use mod_ban to stop brute force,

Tags:

  • Block Brute Force Attacks Against proftpd
  • Brute-Force Attack
  • CentOS
  • custombuild
  • directadmin
  • File Transfer Protocol
  • FTP
  • how to install mod_ban
  • how to install mod_ban for Proftpd
  • how to stop brute force attack to proftpd
  • Internet Protocol
  • login
  • mod_ban.c
  • modify
  • Preventing Brute Force Attacks
  • proftpd brute-force attack
  • Servers
  • setting up mod_ban.c
  • Stopping Brute Force Attacks
  • use mod_ban to stop brute force

Post navigation

← Previous Post
Next Post →

Buy Me a Coffee

Buy me a coffeeBuy me a coffee

Recent Posts

generate favicon for free online 2020
How to generate Favicon for free online in 2020?
December 17, 2019
generate app icon for free online
How to generate App Icon for free online ?
December 16, 2019
optimize facebook cover 2020
What is the optimize Facebook profile picture size in 2020?
December 15, 2019
Why You Should Never Ever Buy XiaoMi Products 03
Why You Should Never Ever Buy XiaoMi Products ?
February 27, 2019
Wordscapes In Bloom Answers
Wordscapes In Bloom Answers
May 21, 2018

Trending Posts

Logo Quiz Answers
Logo Quiz Answers for iPhone, iPad, Android
December 8, 2012
Bag It
Bag It Walkthrough
June 10, 2012
Logo Quiz
Logo Quiz Cheats
May 13, 2012
logos quiz answers level 1
Logos Quiz Answers
April 30, 2012
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Our Projects

  • Game Solver
  • Words Solver
  • Top Hashtags
  • Rumors City
  • Thamai
  • @juzhax
  • Plot Map
  • Top Radio
  • Secret Specs

Support

  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • YouTube
  • RSS Feed
  • Instagram
  • LinkedIn
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
Copyright © 2021 Justin.my | Powered by Juzhax Technology