# [pure-ftpd] being brute forced

## Bio

Hello all,

So i have a pure-ftpd server that's been running for a few weeks and I noticed an increase in brute force attacks for the last few days. I experienced such attacks on my SSH server that i was able to secure with the denyhosts package and some sshd_config tweaking.

I'm wondering how i can protect my ftp server the same way i did SSH. Is there any built-in feature with pure-ftpd or can i use the denyhosts package.

I tried with denyhosts while i was being brute forced but nothing happened. In fact syslog-ng logged the FTP stuff in a ftp.log file. As my denyhosts.conf reads, denyhosts will look at the auth.log file, so I changed my syslog destination for FTP to write its logs into auth.log. I then restarted both syslog and denyhosts but the brute force attack kept happening. Am i missing something?

Relevant parts of my denyhost.conf :

```

SECURE_LOG = /var/log/syslog-ng/auth.log

HOSTS_DENY = /etc/hosts.deny

BLOCK_SERVICE = ALL

```

and my syslog-ng.conf

```

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination ftp { file("var/log/syslog-ng/auth.log"); };

filter f_ftp { level(info..warn) and facility(ftp); };

log { source(src); filter(f_ftp); destination(ftp); };

```

----------

## n3bul4

I am not sure if you can do this with the denyhost package.

Maybe you should think about portsentry or another IDS.

regards.

----------

## vaguy02

I think fail2ban (in portage) can do brute force protection against ftp.

Robert

----------

## Bio

OK so I emerged fail2ban and tried to configure it.

here's my jail.conf action regarding pure-ftp

```

[pure-ftpd-iptables]

enabled  = true

filter   = pure-ftpd

action   = hostsdeny[file=/etc/hosts.deny]

           mail-whois[name=Pure-FTPD, dest=myemail@myprovider.com]

logpath  = /var/log/syslog-ng/ftp.log

maxretry = 5

```

my action.d/hostsdeny.conf and filter.d/pure-ftpd.conf are untouched.

I launch fail2ban via the init.d script and shortly after i receive an email

```

Hi,

The IP 221.215.127.171 has just been banned by Fail2Ban after

50 attempts against Pure-FTPD.

```

grep 221.215.127.171 /etc/hosts.deny returns the following

```

ALL: 221.215.127.171

```

But doing a tail -f /var/log/syslog-ng/ftp.log shows that the bruteforce is still going on

```

Oct 15 20:13:42 localhost pure-ftpd: (?@221.215.127.171) [INFO] New connection from 221.215.127.171

Oct 15 20:13:44 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]

Oct 15 20:13:49 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]

Oct 15 20:13:58 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]

Oct 15 20:14:09 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]

Oct 15 20:14:24 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]

Oct 15 20:14:43 localhost pure-ftpd: (?@221.215.127.171) [INFO] New connection from 221.215.127.171

Oct 15 20:14:44 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]

Oct 15 20:14:49 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]

Oct 15 20:14:56 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]

Oct 15 20:15:06 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]

Oct 15 20:15:21 localhost pure-ftpd: (?@221.215.127.171) [WARNING] Authentication failed for user [Administrator]

```

Am i missing something, i'm totally new to fail2ban btw :p

----------

## vaguy02

I use fail2ban to add iptables rules, I've never used it to add to hosts.deny. Some applications don't check against hosts.deny from what I've heard, that may be wrong, that may be right, not sure, just what I've heard. 

if you already have iptables on that box, I would suggest just using fail2ban to write iptables rules.

Robert

----------

## Cyker

Blocking stuff with hosts.deny only works if they have tcpwrappers support  :Sad: 

I think if you run them through inetd or xinetd. that would also work 'tho...?

I personally use SEC with custom rules...

----------

