The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stopping Brute Force FTP login attacks?

Discussion in 'General Discussion' started by Vatoloco, Jan 13, 2005.

  1. Vatoloco

    Vatoloco Well-Known Member

    Joined:
    Jun 21, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Without installing APF and BFD, what's a good way to stop these? I recently stopped the brute force attacks on SSH by changing the port. Is it possible to do something similar with FTP?
     
  2. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Yes if are using proftpd /etc/proftpd.conf has what you need. I am not sure where the pure-ftp config files are.
     
  3. Sinewy

    Sinewy Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney, Australia
    cPanel Access Level:
    DataCenter Provider
    /etc/pure-ftpd.conf ;)

    haven't seen any bruteforce related options in there though.
     
  4. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    but you can change the port :)
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You can, of course, use BFD without APF and configure BFD to either put detected IP addresses in /etc/hosts.deny or directly into iptables.

    You could also use PAM limits (depending on your OS) but that only applies to services using PAM which some (like proftpd) don't.

     
  6. Vatoloco

    Vatoloco Well-Known Member

    Joined:
    Jun 21, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    proftpd is what I'm using. Does anyone know if changing the port is going to mess anything up? I've noticed in my logs there is a consistent login and timeout from 127.0.0.1. I'm guessing that's cpanel just checking to make sure the service is active. Will changing the port prevent that from working and thus cpanel will be constantly rebooting ftp?
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You could change the port chkservd uses in:

    /etc/chkserv.d/proftpd

    However, your next cPanel update could well overwrite the file. I've never been that much a fan of moving ports, though it does tend to avoid the skiddies, a hacker would obviously have no problems finding it.
     
  8. Vatoloco

    Vatoloco Well-Known Member

    Joined:
    Jun 21, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Thanks!

    One more question, is there a way to just disable it from checking ftp? I could care less if FTP is down for along time. I only use it a couple times a month and if it happens to me down at those times I could just restart it myself.
     
  9. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Orrrr, if the abusers are coming off the same net all the time, and you're running "IP Tables", you can:

    Example which bans a fictional /16:
    iptables -A INPUT -p ALL -s 218.145.0.0/16 -j REJECT

    Basically, all traffic on all protocols will be rejected to the machine in question.

    This is how I got some hackers to stop bothering me.

    ;)

    Just some food for your thought,

    - J
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    To disable it, you'd delete the file from /etc/chkservd/ and then restart chkservd. However, cPanel upgrades will most likely recreate it.

    You might get away with disabling it in WHM > Service Manager > ftp daemon and just start and stop it manually. However, that may well have unforseen circumstances.
     
Loading...

Share This Page