If you have FTP or SSH server exposed to internet with static IP, then you may face issue of Brute Force Attack on your FTP or SSH server. In this article, we will learn how to secure our FTP or SSH server from Brute Force Attack
How will youcome to know that your server is under attack?
If you check your /var/log/auth or /var/log/secure you may see below kind of entries:
Apr 20 09:10:40 ftp sshd: Failed password for illegal user ing from <IP> port 56499 ssh2
Apr 20 09:10:42 ftp sshd: Illegal user ing from <IP>
Apr 20 09:10:42 ftp sshd: Failed password for illegal user ing from <IP> port 56663 ssh2
Apr 20 09:10:46 ftp sshd: Failed password for illegal user rocky from <IP> port 56989 ssh2
Apr 20 09:10:48 ftp sshd: Illegal user elis from <IP>
Apr 20 09:10:48 ftp sshd: Failed password for illegal user elis from <IP> port 57153 ssh2
Apr 20 09:10:50 ftp sshd: Illegal user kiw from <IP>
Apr 20 09:10:50 ftp sshd: Failed password for illegal user kiw from <IP>port 57328 ssh2
Apr 20 09:10:51 ftp sshd: Illegal user kiwi from <IP>
Apr 20 09:10:51 ftp sshd: Failed password for illegal user kiwi from <IP>port 57470 ssh2
Apr 20 09:10:53 ftp sshd: Illegal user mick from <IP>
Apr 20 09:10:53 ftp sshd: Failed password for illegal user mick from <IP> port 57646 ssh2
Apr 20 09:10:55 ftp sshd: Illegal user mick from <IP>
Apr 20 09:10:55 ftp sshd: Failed password for illegal user mick from <IP>port 57810 ssh2
If above kind of entries are there, then it means that your server is under brute force attack.
Here <IP> represents the attacker’s IP. Many times this IP gets changed or it is dynamic.
In above example, some attacker have tried brute force script against the server, which try to login with common username with common passwords. Also if this happened lot of time within short period then it can affect server or network performance too.
To avoid this we must have some system in place, which will track login failures and if it happens by same IP for n number of time then system will block that IP for predefined period.
We can achieve this by using Fail2Ban
1. Download Fail2Ban from below URL
2. Install it using “rpm -ivh fail2ban-0.8.4-23.el5.noarch.rpm”
3. Configuring Fail2Ban
Configuration Folder à /etc/fail2ban
Important Configuration Files à jail.conf & fail2ban.conf
Action defined under “action.d” folder
Filters defined under “filter.d” folder
Do below configuration /etc/jail.conf for Blocking brute force attack on vsftpd server.
Search for [vsftpd]
Changed below directives:
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 3
bantime = 300
Please note that, here Fail2ban will monitor /var/log/vsftpd.log for authentication failure logs.
maxretry à It will allow to try login 3 times. If 3rd time it fails then it will block the IP.
Restart Fail2Ban à /etc/init.d/fail2ban restart
Check /var/log/ fail2ban.log. You must be able to see
……….Jail ‘vsftpd’ started
………. Jail ‘ssh’ started
4. Now try fake failure attempts on this FTP server from remote machine. When it fails 3rd time, it will automatically block the IP and in fail2ban.log, you will see below entry
2011-04-27 14:07:40,124 fail2ban.actions: WARNING [vsftpd] Ban <IP>
5. Fail2Ban will work with SSH, SFTP, FTP, Apache, vsftpd, proftpd etc.