Stopping Brute Force FTP login attacks?

[Vatoloco]

Without installing APF and BFD, what's a good way to stop these? I recently stopped the brute force attacks on SSH by changing the port. Is it possible to do something similar with FTP?

[eth00]

Yes if are using proftpd /etc/proftpd.conf has what you need. I am not sure where the pure-ftp config files are.

[Sinewy]

/etc/pure-ftpd.conf

haven't seen any bruteforce related options in there though.

[eth00]

/etc/pure-ftpd.conf

haven't seen any bruteforce related options in there though.

but you can change the port

[chirpy]

You can, of course, use BFD without APF and configure BFD to either put detected IP addresses in /etc/hosts.deny or directly into iptables.

You could also use PAM limits (depending on your OS) but that only applies to services using PAM which some (like proftpd) don't.

Without installing APF and BFD, what's a good way to stop these? I recently stopped the brute force attacks on SSH by changing the port. Is it possible to do something similar with FTP?

[Vatoloco]

Yes if are using proftpd /etc/proftpd.conf has what you need. I am not sure where the pure-ftp config files are.

proftpd is what I'm using. Does anyone know if changing the port is going to mess anything up? I've noticed in my logs there is a consistent login and timeout from 127.0.0.1. I'm guessing that's cpanel just checking to make sure the service is active. Will changing the port prevent that from working and thus cpanel will be constantly rebooting ftp?

[chirpy]

You could change the port chkservd uses in:

/etc/chkserv.d/proftpd

However, your next cPanel update could well overwrite the file. I've never been that much a fan of moving ports, though it does tend to avoid the skiddies, a hacker would obviously have no problems finding it.

[Vatoloco]

You could change the port chkservd uses in:

/etc/chkserv.d/proftpd

However, your next cPanel update could well overwrite the file. I've never been that much a fan of moving ports, though it does tend to avoid the skiddies, a hacker would obviously have no problems finding it.

Thanks!

One more question, is there a way to just disable it from checking ftp? I could care less if FTP is down for along time. I only use it a couple times a month and if it happens to me down at those times I could just restart it myself.

[LiNUxG0d]

Orrrr, if the abusers are coming off the same net all the time, and you're running "IP Tables", you can:

Example which bans a fictional /16:
iptables -A INPUT -p ALL -s 218.145.0.0/16 -j REJECT

Basically, all traffic on all protocols will be rejected to the machine in question.

This is how I got some hackers to stop bothering me.



Just some food for your thought,

- J

[chirpy]

Thanks!

One more question, is there a way to just disable it from checking ftp? I could care less if FTP is down for along time. I only use it a couple times a month and if it happens to me down at those times I could just restart it myself.

To disable it, you'd delete the file from /etc/chkservd/ and then restart chkservd. However, cPanel upgrades will most likely recreate it.

You might get away with disabling it in WHM > Service Manager > ftp daemon and just start and stop it manually. However, that may well have unforseen circumstances.