# Denyhosts with proftpd and postfix?

## mad93

I've hacked recently so now i'm installing again my box and i'm a bit paranoid about security.

In sshd i've dissabled root access and i've installed denyhosts for the force brute atacks.

Now i want to reinstall my mail server, following http://www.gentoo.org/doc/en/virt-mail-howto.xml and set up again the poftpd server. Also i want to say that i've squirrelmail for view the mail.

So the 'problem' that i see is that all three things, counting proftp, postfix and squirrelmail, when you log into them you use the same password that in the sshd server, so they can't also use a force brute atack in these services?

My question is if i can add something similar to denyhosts for ssh, on the other three cases, after x attempts, deny the access to the service in the host.

I don't know if it is possible, i haven't found info about this (searching for denyhosts) :S

----------

## Zepp

Sorry not familiar with postfix/proftpd, but for ssh I recommend you move it to a port other then 22 and change authorization to use public/private key pairs. This will eliminate pretty much all the scripted brute force attacks on ssh.

----------

## mad93

In the IRC they've suggested me to use iptables with IPTables/Netfilter Recent Module.

I don't know anything about iptables so i'll have to study them a bit :S

----------

## Zepp

The iptables part shouldn't be to bad, I imagine the tricky/creative bit will be figuring out how to block hosts after so many failed login attempts? You might have to monitor the logs or something :S

----------

## simeli

i too have denyhosts running alongside sshd, proftpd and postfix. however it does not seem to honor the entries of proftpd in /var/log/messages.

there seems to me a mechanism to teach denyhosts to understand this (from the faq page):

 *Quote:*   

> Can I supply additional regular expressions to DenyHosts?
> 
> Yes. New in v1.1.5, DenyHosts adds the ability for the user to specify additional regular expressions that can be used to locate possible break-in attempts. The USERDEF_FAILED_ENTRY_REGEX can be specified repeatedly. Each value must contain a single regular expression that includes a host regular expression group and optionally a user group. It is assumed that the end user is familiar with regular expressions in order to take advantage of this feature.
> 
> Examples:
> ...

 

anyone have an idea what the regex would be to lock out ftp kiddies:

i have entries such as this:

```
Jan 21 03:06:34 horus proftpd[15369]: horus (85.214.36.248[85.214.36.248]) - mod_delay/0.5: delaying for 57 usecs

Jan 21 03:06:34 horus proftpd[15369]: horus (85.214.36.248[85.214.36.248]) - no such user 'dino'

Jan 21 03:06:34 horus proftpd[15369]: horus (85.214.36.248[85.214.36.248]) - USER dino: no such user found from 85.214.36.248 [85.214.36.248] to 84.73.56.109:21

Jan 21 03:06:34 horus proftpd[15369]: horus (85.214.36.248[85.214.36.248]) - Maximum login attempts (3) exceeded

Jan 21 03:06:34 horus proftpd[15369]: horus (85.214.36.248[85.214.36.248]) - FTP session closed.

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - FTP session opened.

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - no such user 'dino'

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - USER dino: no such user found from 85.214.36.248 [85.214.36.248] to 84.73.56.109:21

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - mod_delay/0.5: delaying for 3 usecs

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - no such user 'dino'

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - USER dino: no such user found from 85.214.36.248 [85.214.36.248] to 84.73.56.109:21

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - mod_delay/0.5: delaying for 16 usecs

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - no such user 'dino'

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - USER dino: no such user found from 85.214.36.248 [85.214.36.248] to 84.73.56.109:21

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - Maximum login attempts (3) exceeded

Jan 21 03:06:34 horus proftpd[15370]: horus (85.214.36.248[85.214.36.248]) - FTP session closed.

Jan 21 03:06:34 horus proftpd[15371]: horus (85.214.36.248[85.214.36.248]) - FTP session opened.

Jan 21 03:06:34 horus proftpd[15371]: horus (85.214.36.248[85.214.36.248]) - no such user 'dino'

Jan 21 03:06:34 horus proftpd[15371]: horus (85.214.36.248[85.214.36.248]) - USER dino: no such user found from 85.214.36.248 [85.214.36.248] to 84.73.56.109:21

```

any help would be greatly appreciated.

----------

## thoughtform

i'm looking to do this for proftpd as well.

did you have any success?

----------

## Philippe23

With regards to proftpd, checkout it's modban module.

http://www.castaglia.org/proftpd/modules/mod_ban.html

It works for me.

----------

