Stopping Brute Force FTP login attacks?

Vatoloco

Well-Known Member
Jun 21, 2004
99
0
166
Without installing APF and BFD, what's a good way to stop these? I recently stopped the brute force attacks on SSH by changing the port. Is it possible to do something similar with FTP?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,448
31
473
Go on, have a guess
You can, of course, use BFD without APF and configure BFD to either put detected IP addresses in /etc/hosts.deny or directly into iptables.

You could also use PAM limits (depending on your OS) but that only applies to services using PAM which some (like proftpd) don't.

Vatoloco said:
Without installing APF and BFD, what's a good way to stop these? I recently stopped the brute force attacks on SSH by changing the port. Is it possible to do something similar with FTP?
 

Vatoloco

Well-Known Member
Jun 21, 2004
99
0
166
eth00 said:
Yes if are using proftpd /etc/proftpd.conf has what you need. I am not sure where the pure-ftp config files are.
proftpd is what I'm using. Does anyone know if changing the port is going to mess anything up? I've noticed in my logs there is a consistent login and timeout from 127.0.0.1. I'm guessing that's cpanel just checking to make sure the service is active. Will changing the port prevent that from working and thus cpanel will be constantly rebooting ftp?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,448
31
473
Go on, have a guess
You could change the port chkservd uses in:

/etc/chkserv.d/proftpd

However, your next cPanel update could well overwrite the file. I've never been that much a fan of moving ports, though it does tend to avoid the skiddies, a hacker would obviously have no problems finding it.
 

Vatoloco

Well-Known Member
Jun 21, 2004
99
0
166
chirpy said:
You could change the port chkservd uses in:

/etc/chkserv.d/proftpd

However, your next cPanel update could well overwrite the file. I've never been that much a fan of moving ports, though it does tend to avoid the skiddies, a hacker would obviously have no problems finding it.
Thanks!

One more question, is there a way to just disable it from checking ftp? I could care less if FTP is down for along time. I only use it a couple times a month and if it happens to me down at those times I could just restart it myself.
 

LiNUxG0d

Well-Known Member
Jun 25, 2003
206
1
168
Gatineau, Quebec, Canada
Orrrr, if the abusers are coming off the same net all the time, and you're running "IP Tables", you can:

Example which bans a fictional /16:
iptables -A INPUT -p ALL -s 218.145.0.0/16 -j REJECT

Basically, all traffic on all protocols will be rejected to the machine in question.

This is how I got some hackers to stop bothering me.

;)

Just some food for your thought,

- J
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,448
31
473
Go on, have a guess
Vatoloco said:
Thanks!

One more question, is there a way to just disable it from checking ftp? I could care less if FTP is down for along time. I only use it a couple times a month and if it happens to me down at those times I could just restart it myself.
To disable it, you'd delete the file from /etc/chkservd/ and then restart chkservd. However, cPanel upgrades will most likely recreate it.

You might get away with disabling it in WHM > Service Manager > ftp daemon and just start and stop it manually. However, that may well have unforseen circumstances.