# Blocking IP's from vsftp? Solved

## Hydraulix

In my vsftp.log I'm seeing this...

```

Tue Apr 25 02:45:43 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:45:46 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:45:49 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:45:51 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:45:54 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:45:56 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:45:59 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:02 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:04 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:07 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:10 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:12 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:14 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:17 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:19 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:22 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:25 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:27 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:30 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:33 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:35 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:37 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:40 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:43 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:46 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:48 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:51 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:53 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:56 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:46:59 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:02 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:05 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:07 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:10 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:13 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:16 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:18 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:21 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:24 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:27 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:29 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:32 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:34 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:37 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:40 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:42 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:45 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:48 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:51 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:53 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:56 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:47:59 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:02 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:05 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:07 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:10 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:13 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:16 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:19 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:22 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:24 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:27 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:30 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:33 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:36 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:39 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:42 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:45 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:47 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:50 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:53 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:55 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:48:59 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:01 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:04 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:07 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:10 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:13 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:16 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:19 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:22 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:24 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:27 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:30 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:33 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:36 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:38 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:41 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:43 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:46 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

Tue Apr 25 02:49:49 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"

```

Now I have denyhosts running to block SSH attempts. But how would I configure it to block FTP attempts?

----------

## wjholden

After checking man 5 vsftpd.conf, I'm afraid VSFTPD doesn't contain a native method for blocking hosts. I would recommend reporting the offending IP address to your ISP and blocking it through a firewall such as IP tables.

----------

## Hydraulix

 *destuxor wrote:*   

> After checking man 5 vsftpd.conf, I'm afraid VSFTPD doesn't contain a native method for blocking hosts. I would recommend reporting the offending IP address to your ISP and blocking it through a firewall such as IP tables.

 

Hmm. I'll check out iptables. Is there a script where I can just add an IP to block it using iptables?

----------

## expat_iain

```
#!/bin/bash

iptables -I INPUT 1 -s 61.9.150.64 -j DROP
```

----------

## wjholden

How do you like this? I felt like coding something, so I wrote a program to run through the logfile and block people with too many failed logins. If you like it, save it to block.pl (or whatever), "chmod u+x block.pl", and then "./block.pl" to execute. You could then put it in your cron daemon if you really like it.

Have fun. If you find any bugs or want an extra feature tell me and I'll see what I can do.

```
#!/usr/bin/perl -w

# destuxor (wjholden@gmail.com) - 4/26/2006

# A simple script to go through a VSFTPD log and block people who have

# unsuccessfully attempted to log in.

#configuration options:

$logfilename = 'testlogfile.txt'; # location of your logfile.

$allow_exceptions = 0; # if you wish to specify a file to put exceptions into,

                       # say 1 here, otherwise put 0.

$exception_file = '';  # if you said 1 above, put your filename here.

$max_failures = 50;    # maximum number of failures someone can have before

                       # getting blocked.

#end of configuration options

$command = 'grep \'FAIL LOGIN\' '.$logfilename.' | sed -r \'s/^.{0,}Client .//\' | sed -r \'s/\"//\' | uniq -c';

@connected_ips = `$command`;

undef %noblock;

if ($allow_exceptions == 1) {

    open (FH, $exception_file) or die "$!\n";

    @exceptions = <FH>;

    close (FH);

}

foreach $ip (@exceptions) {

    $noblock{$ip} = 1;

}

foreach $host (@connected_ips)

{

    @info = split(/\s+/, $host);

    if (($info[1] > $max_failures) and !$noblock{$info[2]}) {

        system("iptables -I INPUT 1 -s $info[2] -j DROP");

    }

}
```

----------

## Hydraulix

 *destuxor wrote:*   

> How do you like this? I felt like coding something, so I wrote a program to run through the logfile and block people with too many failed logins. If you like it, save it to block.pl (or whatever), "chmod u+x block.pl", and then "./block.pl" to execute. You could then put it in your cron daemon if you really like it.
> 
> Have fun. If you find any bugs or want an extra feature tell me and I'll see what I can do.
> 
> ```
> ...

 

Very nice!! I'll have to give this a shot when I get home. 

Thanks!  :Smile: 

----------

## wjholden

I just hope it works...I have had "xferlog_std_format=YES" in my VSFTPD configuration for a year and a half. Too late to change now  :Sad: 

Plus I don't have IP Tables installed on this box. What I'm trying to say is, that code hasn't been tested much (it compiles, it runs, it should work), so if you run into any problems at all I'll be glad to work on it.

----------

## Hydraulix

 *destuxor wrote:*   

> I just hope it works...I have had "xferlog_std_format=YES" in my VSFTPD configuration for a year and a half. Too late to change now 
> 
> Plus I don't have IP Tables installed on this box. What I'm trying to say is, that code hasn't been tested much (it compiles, it runs, it should work), so if you run into any problems at all I'll be glad to work on it.

 

I finally got around on trying your script. When I run it, it just hangs. Any idea?

Nevermind I installed fail2ban and that seems to work. Thanks again for the help.  :Very Happy: 

----------

## JROCK2004

is there a different way then iptables

----------

## Growlizing

Could you post your failregex for fail2ban please? Would be very much appreciated  :Smile: 

----------

## zendmaster

I know this is an older thread, but I was just working on this.  I had trouble getting fail2ban to work for vsftpd. Thought I would post how I got it to work since I couldn't find it in these forums.

First I had to go into my kernel configuration and turn on iptables.  That was the easy part.  The hard part was finding a failregex for vsftpd.  I finally found one that worked.  It is:

```

failregex = \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$

```

Hope this helps others. I should also mention that this is fail2ban-0.6.2-r1

I tried 0.7.6-r1, but I found it would only monitor vsftd and email a warning.  It didn't ban the ip.  The earlier version works to ban the ip.

----------

## TauRush

I was looking for a script to stop those ftp attacks some time ago and finally found this forum.

Although I am not using Gentoo (but Fedora) I gave the script of destuxor a try.

After fixing some small issues and adding a permanent banlist, I have it working at home and at the office for some time now.

I am running the script every 2 minutes through a cronjob, to keep the amount of attacks small and also my logfiles don't overflow.

Thanks to destuxor for the initial setup of the script.

Here is my adjusted script for all to use.

```

#!/usr/bin/perl -w

# destuxor (wjholden@gmail.com) - 4/26/2006

# TauRush (snakesandarrows@gmail.com) - 3/17/2007

# A simple script to go through a VSFTPD log and block people who have

# unsuccessfully attempted to log in.

#configuration options:

$logfilename = '/var/log/vsftpd/vsftpd.log'; # location of your logfile.

$allow_exceptions = 1; # if you wish to specify a file to put exceptions into,

                       # say 1 here, otherwise put 0.

$exception_file = '/var/log/vsftpd/banned.log';  # if you said 1 above, put your filename here.

$max_failures = 5;    # maximum number of failures someone can have before

                       # getting blocked.

#end of configuration options

$command = 'grep \'FAIL LOGIN\' '.$logfilename.' | sed -r \'s/^.{0,}Client .//\' | sed -r \'s/\"//\' | uniq -c';

@connected_ips = `$command`;

undef %noblock;

if ($allow_exceptions == 1) {

    open (FH, $exception_file) or die "$!\n";

    @exceptions = <FH>;

    close (FH);

}

foreach $ip (@exceptions) {

# Added by TauRush to chop LF character

    chop ($ip);

    $noblock{"$ip"} = 1;

}

foreach $host (@connected_ips)

{

    @info = split(/\s+/, $host);

    if (($info[1] > $max_failures) and !$noblock{$info[2]}) {

        system("/sbin/iptables -I INPUT 1 -s $info[2] -j DROP");

# 3 lines added by TauRush to create banned.log file

        open FILE,">>$exception_file" or die "Unable to open file!\n";

        print FILE "$info[2]\n";

   close FILE;

    }

}

```

----------

## wjholden

So I was googling my own name and ran across this. If anyone is using this script it may be useful to see what others have done with it:

http://ubuntuforums.org/archive/index.php/t-428806.html.

http://www.nslu2-linux.org/wiki/HowTo/SetupIPBlockingOnVSFTPD

----------

## jeffrehley

I added a bit to ban failed login attempts as well...

#!/usr/bin/perl -w                                                               

# destuxor (wjholden@gmail.com) - 4/26/2006                                        

# TauRush (snakesandarrows@gmail.com) - 3/17/2007                                   

# jeffrehley (jeffrehley@hotmail.com) - 5/21/2010 - look for failed attempts in auth.log as well

# A simple script to go through a VSFTPD log and block people who have              

# unsuccessfully attempted to log in.                                              

#configuration options:

$logfilename1 = '/var/log/vsftpd.log'; # location of ftp logfile.                   

$logfilename2 = '/var/log/auth.log  '; # location of auth logfile.

$allow_exceptions = 1; # if you wish to specify a file to put exceptions into,      

                       # say 1 here, otherwise put 0.                               

$exception_file = '/var/log/banned.log';  # if you said 1 above, put your filename here.                                     

$max_failures = 5;    # maximum number of failures someone can have before          

                      # getting blocked.                                          

#end of configuration options                                                       

$command1 = 'grep \'FAIL LOGIN\' '.$logfilename1.' | sed -r \'s/^.{0,}Client .//\' | sed -r \'s/\"//\' | uniq -c';

$command2 = 'grep \'Failed password for invalid user\' '.$logfilename2.'  | cut -f 4 -d: | awk \'{print $8}\' | uniq -c'; 

$command3 = 'grep \'Failed password for root\' '.$logfilename2.' | cut -f 4 -d: | awk \'{print $6}\' | uniq -c';

@connected_ips1 = `$command1`;                                                        

@connected_ips2 = `$command2`;

@connected_ips3 = `$command3`;

push (@connected_ips,@connected_ips1);

push (@connected_ips,@connected_ips2);

push (@connected_ips,@connected_ips3);

#print @connected_ips;

undef %noblock;                                                                     

if ($allow_exceptions == 1) {                                                       

  open (FH, $exception_file) or die "$!\n";                                         

  @exceptions = <FH>;                                                               

  close (FH);                                                                       

}                                                                                   

foreach $ip (@exceptions) {                                                         

# Added by TauRush to chop LF character                                             

  chop ($ip);                                                                       

  $noblock{"$ip"} = 1;                                                              

}                                                                                   

foreach $host (@connected_ips)                                                      

{                                                                                   

  @info = split(/\s+/, $host);

  if (($info[1] > $max_failures) and !$noblock{$info[2]}) {                         

      system("iptables -I INPUT 1 -s $info[2] -j DROP");                  

# 3 lines added by TauRush to create banned.log file                                

      open FILE,">>$exception_file" or die "Unable to open file!\n";                

      print FILE "$info[2]\n";                                                      

      close FILE;                                                                        

     }                                                                              

}

----------

