How to enable mod_ban for proftpd in CentOS with DirectAdmin
Subject: Brute-Force Attack detected in service log from IP(s) 222.186.59.104 on User(s) admin, forums, perak, perakorg, [email protected] Today at 21:03
A brute force attack has been detected in one of your service logs.IP 222.186.59.104 has 2975 failed login attempts: proftpd1=2859&proftpd2=114&proftpd3=2
User admin has 10034 failed login attempts: dovecot1=917&exim1=120&exim2=989&proftpd2=8008
User forums has 33136 failed login attempts: proftpd1=33136
User perak has 45184 failed login attempts: proftpd1=45184
User perakorg has 37478 failed login attempts: proftpd1=37478
User [email protected] has 5351 failed login attempts: exim2=122&proftpd1=5229Check ‘Admin Level -> Brute Force Monitor’ for more information
http://help.directadmin.com/item.php?id=404
[adrotate banner=”1″]
[adrotate banner=”2″]
When you see this service log from your Linux Machine, you will hate it, and you will hate them. I hate this too, so I have to install mod_ban for proftpd to slow down their brute-force attack.
First I have to modify the custombuild in DirectAdmin and recompile it again
[[email protected]:~ ] $ vi /usr/local/directadmin/custombuild/configure/proftpd/configure.proftpd
Edit the file add the –enable-ctrls –with-modules=mod_ban
#!/bin/sh install_user=ftp \ install_group=ftp \ ./configure \ --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var/run \ --mandir=/usr/share/man \ --without-pam \ --disable-auth-pam \ --enable-nls \ --with-modules=mod_ratio:mod_readme:mod_tls \ --enable-ctrls --with-modules=mod_ban LDFLAGS=-static
Then compile it again
cd /usr/local/directadmin/custombuild ./build clean ./build proftpd
After recompile, you can see the mod_ban.c and mod_ctrls.c
[[email protected]:/usr/local/directadmin/custombuild ] $ proftpd -l Compiled-in modules: mod_core.c mod_xfer.c mod_auth_unix.c mod_auth_file.c mod_auth.c mod_ls.c mod_log.c mod_site.c mod_delay.c mod_facts.c mod_ident.c mod_ban.c mod_cap.c mod_ctrls.c mod_lang.c
So, we need to add the config to the /etc/proftpd.conf
[[email protected]:~ ] $ vi /etc/proftpd.conf
Paste like this into the /etc/proftpd.conf
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsACLs all allow group root
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd.sock
ControlsSocketOwner root root
ControlsSocketACL allow group root
</IfModule>
MaxLoginAttempts 1
<IfModule mod_ban.c>
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/db/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times
# within 10 minutes, automatically add a ban for that client that
# will expire after one hour.
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans
BanControlsACLs all allow user root
</IfModule>
After that set some path and files.
[[email protected]:/var/db ] $ mkdir /var/db/proftpd/ [[email protected]:/var/db ] $ touch /var/db/proftpd/ban.tab [[email protected]:/var ] $ service proftpd restart Shutting down proftpd: [ OK ] Starting proftpd: [ OK ]
Feels that they are start working
tail /var/log/proftpd/ban.log Mar 23 20:27:01 mod_ban/0.5.5[30104]: obtained shmid 3899394 for BanTable '/var/db/proftpd/ban.tab' Mar 23 20:27:08 mod_ban/0.5.5[30128]: obtained shmid 3932162 for BanTable '/var/db/proftpd/ban.tab' Mar 23 20:29:29 mod_ban/0.5.5[30650]: added ban event for MaxLoginAttempts Mar 23 20:29:29 mod_ban/0.5.5[30651]: added MaxLoginAttempts-triggered autoban for host '222.186.59.104' Mar 23 20:29:29 mod_ban/0.5.5[30651]: MaxLoginAttempts autoban threshold reached, ending session Mar 23 20:29:29 mod_ban/0.5.5[30654]: login from host '222.186.59.104' denied due to host ban Mar 23 20:29:29 mod_ban/0.5.5[30655]: login from host '222.186.59.104' denied due to host ban Mar 23 20:32:22 mod_ban/0.5.5[31163]: obtained shmid 3964930 for BanTable '/var/db/proftpd/ban.tab' Mar 23 20:33:39 mod_ban/0.5.5[31437]: added ban event for MaxLoginAttempts Mar 23 20:33:41 mod_ban/0.5.5[31438]: added MaxLoginAttempts-triggered autoban for host '113.232.65.112' Mar 23 20:33:41 mod_ban/0.5.5[31438]: MaxLoginAttempts autoban threshold reached, ending session Mar 23 20:33:42 mod_ban/0.5.5[31456]: login from host '113.232.65.112' denied due to host ban Mar 23 20:33:59 mod_ban/0.5.5[31528]: obtained shmid 3997698 for BanTable '/var/db/proftpd/ban.tab' Mar 23 20:34:09 mod_ban/0.5.5[31583]: obtained shmid 4030466 for BanTable '/var/db/proftpd/ban.tab' Mar 23 20:27:08 server proftpd[30129]: 210.5.45.243 - ProFTPD 1.3.3e (maint) (built Fri Mar 23 2012 20:18:46 MYT) standalone mode STARTUP Mar 23 20:29:28 server proftpd[30650]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session opened. Mar 23 20:29:28 server proftpd[30651]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session opened. Mar 23 20:29:29 server proftpd[30650]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed. Mar 23 20:29:29 server proftpd[30651]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed. Mar 23 20:29:29 server proftpd[30654]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban/0.5.5: Login denied: host '222.186.59.104' banned Mar 23 20:29:29 server proftpd[30654]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban.c: error initializing session: Permission denied Mar 23 20:29:29 server proftpd[30654]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed. Mar 23 20:29:29 server proftpd[30655]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban/0.5.5: Login denied: host '222.186.59.104' banned Mar 23 20:29:29 server proftpd[30655]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - mod_ban.c: error initializing session: Permission denied Mar 23 20:29:29 server proftpd[30655]: 210.5.45.243 (222.186.59.104[222.186.59.104]) - FTP session closed.
Try to check is the ftpdctl is working or not.
[[email protected]:/var/run ] $ ftpdctl -s /var/run/proftpd.sock -v ftpdctl: contacting server using '/var/run/proftpd.sock' ftpdctl: sending control request ftpdctl: receiving control response ftpdctl: error receiving response: Operation not permitted [[email protected]:/var/run ] $ ftpdctl ban info ftpdctl: No bans [[email protected]:/var/run ] $ ftpdctl ban host gw.evil.com ftpdctl: host gw.evil.com banned [[email protected]:/var/run ] $ ftpdctl ban info ftpdctl: Banned Hosts: ftpdctl: 210.5.45.243
Finally, all will be fine.
Some of them may search for:
Stopping Brute Force Attacks,
how to stop brute force attack to proftpd,
Block Brute Force Attacks Against proftpd,
how to install mod_ban for Proftpd,
how to install mod_ban,
proftpd brute-force attack,
Preventing Brute Force Attacks,
Stopping Brute Force Attacks,
use mod_ban to stop brute force,
Tags:
- Block Brute Force Attacks Against proftpd
- Brute-Force Attack
- CentOS
- custombuild
- directadmin
- File Transfer Protocol
- FTP
- how to install mod_ban
- how to install mod_ban for Proftpd
- how to stop brute force attack to proftpd
- Internet Protocol
- login
- mod_ban.c
- modify
- Preventing Brute Force Attacks
- proftpd brute-force attack
- Servers
- setting up mod_ban.c
- Stopping Brute Force Attacks
- use mod_ban to stop brute force
Works great! only downside is the server actually has to accept the connection to block it. The server was overloading with ftp requests. I went back to blocking the ip after 5 attempts as iptables doesnt reply to the SYN request which is a bit better imho
Hi bro , when I use ./build proftpd show this error You cannot install ProFTPD, because you do not have it set in options.conf file. , how can fix this??? Thanks