Blocking countries and ftp : mod_geoip could be a solution?

ViAdCk

Verified User
Joined
Feb 14, 2005
Messages
300
Hello,

I am looking at an efficient way of blocking all ftp access, except one country, to our servers. I know this can be done with csf but I'm afraid this will have a huge performance impact on our servers. After doing some research I stumbled upon this information from proftpd: http://www.proftpd.org/docs/contrib/mod_geoip.html

- Has anyone had any experiencie compiling mod_geoip into proftpd?
- If yes, did it have any noticeable performance impact?

Maybe someone else has an alternative? It's just starting to get very annoying with worldwide bots trying to upload infected files through ftp and sometimes even having success through compromised accounts.

Thanks for your time!

Regards
 
Hello,

We don't use CSF for blocking countries and don't use GeoIP. Though some of our customers have servers where they block countries with the help of CSF.

As an alternative we disable FTP(S) and use SFTP on a custom port, it is built on ProFTPd+mod_sftp. The help pages on help.directadmin.com have a guide for it.
 
Hi,

I can see the benefit of running ftp on a non-standard port, this should stop most of the aumomated attacks.

But what if they access to the custom port with your customers credentials? They will still be able to upload infected files even though you're using sftp.

Regards
 
if they have username/password they can connect to SFTP if they use a client which support SFTP, you can not connect to SFTP with a client which does not support SFTP.
 
Most popular ftp clients like filezilla support sftp if I'm correct? I don't see how sftp could be beneficial in this case where a user account password has been compromised and used to upload files (be it ftp, ftps or sftp)
 
Correct, FileZilla support SFTP. You did not mention the case "they already have your credentials" in your initial post. So I did not suggest SFTP as a way for protection in this case.

I did not see bots trying to brute-force SFTP on a custom port, and did not see bots trying to upload malware over SFTP on a custom port either. That's the case.
 
It doesn't happen that often, but sometimes user credentials get hacked (you know the deal, insecure os, insecure ftp programs etc.) and hackers access directly with the user credentials to the ftp account and upload malicious files. These kind of malicious access never happen from our country, that's why we're thinking of an effective way to block ftp access to the rest of the world.

Changing the ftp port is also an option, but this would mean having all our clients to change their ftp programs which will cause a lot of support requests.

I appreciate your input!
 
Hardly many hackers manually access FTP... it would take too much time for them to connect to each host. They use automated solutions and bots to upload malware. Sure if someone attacks one specific site they can connect to FTP manually. But why do they need FTP at all?

If they have an access to a site's public html directory (using a vulnerability in a CMS) over HTTP/HTTPS and can read files it would mean they can

1. write into files, and create their own files.
2. upload files with curl/wget/fetch/fread/etc.

so blocking FTP does not change much.
 
Well, in that case you can do to grant access to port 21 to only one country, as Alex suggest use CSF:

CC_ALLOW_PORTS = US (or place the country code you need instead)
CC_ALLOW_TCP = 21
CC_ALLOW_UDP = 21

An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
then only countries listed in CC_ALLOW_PORTS can access FTP"
 
Hardly many hackers manually access FTP... it would take too much time for them to connect to each host. They use automated solutions and bots to upload malware. Sure if someone attacks one specific site they can connect to FTP manually. But why do they need FTP at all?

If they have an access to a site's public html directory (using a vulnerability in a CMS) over HTTP/HTTPS and can read files it would mean they can

1. write into files, and create their own files.
2. upload files with curl/wget/fetch/fread/etc.

so blocking FTP does not change much.

Well, this happened on one of our servers last night. A php file gets uploaded through ftp, afterwards this php file gets accessed through the website in order to install some additional script and run them (bitcoin miner). In this case, this user has no insecure cms so this wouldn't have happened if ftp access wouldn't have been compromised in the first place.

I know that nowadays most of the hacks come through insecure cms, but these kind of ftp shenanigans are still happening too!
 
Last edited:
Well, in that case you can do to grant access to port 21 to only one country, as Alex suggest use CSF:

CC_ALLOW_PORTS = US (or place the country code you need instead)
CC_ALLOW_TCP = 21
CC_ALLOW_UDP = 21

An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
then only countries listed in CC_ALLOW_PORTS can access FTP"

Yes, as I said in my initial post, I am aware that this can be done in CSF. My concern is that basically blocking the worldwide ip space, but one country, will have a serious performance impact.

Do you have any experience otherwise?
 
OK, I see. Does your user's main FTP account was used or additional FTP account?

How can they get your password?

1. Insecure WiFi/3G/4G in public places when connecting to POP/IMAP/SMTP/Directadmin/FTP/HTTP, if one password is used for every protocol.
2. Insecure connections to FTP from public and insecure networks
3. keylogger/trojans/backdoors on a client machine
4. bruteforce

When using SFTP makes impossible case #2 and lower chances for case #4. If you don't like SFTP you can disable plain FTP and force using FTPS only.

Even if you block a country by any means: iptables, GeoIP... it does not solve the issue at all, as by using VPN/Proxy and other hacked servers a hacker can connect to your server from an allowed country. Sure you will reduce amount of attacks, but still if they really need they will bypass the limitation.

An end user can use .ftpacces in order to limit an access to FTP account from a desired IP. Potentially you can write a script which will add allowed IPs into the file /home/username/.ftpaccess per authenticated connection to Directadmin.
 
OK, I see. Does your user's main FTP account was used or additional FTP account?

How can they get your password?

1. Insecure WiFi/3G/4G in public places when connecting to POP/IMAP/SMTP/Directadmin/FTP/HTTP, if one password is used for every protocol.
2. Insecure connections to FTP from public and insecure networks
3. keylogger/trojans/backdoors on a client machine
4. bruteforce

When using SFTP makes impossible case #2 and lower chances for case #4. If you don't like SFTP you can disable plain FTP and force using FTPS only.

Even if you block a country by any means: iptables, GeoIP... it does not solve the issue at all, as by using VPN/Proxy and other hacked servers a hacker can connect to your server from an allowed country. Sure you will reduce amount of attacks, but still if they really need they will bypass the limitation.

An end user can use .ftpacces in order to limit an access to FTP account from a desired IP. Potentially you can write a script which will add allowed IPs into the file /home/username/.ftpaccess per authenticated connection to Directadmin.

It was the main ftp account of a shared hosting user.

I know that they would be able to use a vpn/proxy but I think 99,9% of the automated attacks won't go this far. And in the last 10 years I don't recall ever seeing unauthorized access from an IP from our country.

I know there is no 100% perfect solution but I am looking for something that won't cause issues to our clients (like changing ftp ports for example) and won't be too taxing on the server resources (like blocking millions of IPs through csf).

Thanks for your input :)
 
Use winscp ( as ftp programm) then sftp with it .
Other port (is also mostly the same for ssh) ( so take care of csf to set that port free)
(problably you can have user acces to that ports alowed only from specific ips / blocks) ( A howto in DA wiki / documentation should be nice??)


Your client should be teached to work more safely and therefore also use other then default settings, for the future is that kind of teaching very very important as so many new extra flaws are underway more more and more.

Extra:
Then it should also possible to assign that (sftp) user a separate bash shell i don't know how to do that in DA but there you can set some more open or restrict.


And ofcourse settings only ssl....


For the sites themself use the securityheaders (content security policy and so on) to protect external nut trusted scripts and progamms
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

And don't ever use wifi/3g/4g for upload conection to server or administration is also a better way.

Asuming that user/custommer has more people working for them also one of them could be the BAD hacking person!
Or even that custommer himself if trying to earn more money or hurt other custommers on that BOX.

So save the LOGs and store them elsewhere to have some proof. for all the ftp logs!, but also wherefrom ( acces logs) that initial scripts was opened

OYA set always as someone write above also different pasword for FTP user, and mail and admin/reseller/user/accounts don't use real names for them as company, siteurl, person. That for brute force...
 
Last edited:
Use winscp ( as ftp programm) then sftp with it .
Other port (is also mostly the same for ssh) ( so take care of csf to set that port free)

Your client should be teached to work more safely and therefore also use other then default settings, for the future is that kind of teaching very very important as so many new extra flaws are underway more more and more.

Extra:
Then it should also possible to assign that (sftp) user a separate bash shell i don't know how to do that in DA but there you can set some more open or restrict.


And ofcourse settings only ssl....


For the sites themself use the securityheaders (content security policy and so on) to protect external nut trusted scripts and progamms
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

And don't ever use wifi for upload conection to server or administration is also a better way.

I appreciate your input but we're talking 1000s of domains and users here. We obviously remind our clients constantly about good security practices but the truth is, a lot of people just don't follow these guidelines. And that's why we need a global protection level at the server level, without causing users trouble.
 
But what if they access to the custom port with your customers credentials? They will still be able to upload infected files even though you're using sftp.

Regards

Therefore your LOG Files to save and backup them.

As proof the Customer did something wrong with security himself, while credentials should have only that customer i presume, you can't handle the security on their site. ( Only if you have a extra contract for security consultant and engineer youself at their place. ;) )

You are of the hook, nono only if you've theached/told / contracted them howto handle that things in secure way, and you did also the important things on server to be secure enough for the time beeing.
 
I appreciate your input but we're talking 1000s of domains and users here. We obviously remind our clients constantly about good security practices but the truth is, a lot of people just don't follow these guidelines. And that's why we need a global protection level at the server level, without causing users trouble.

UH sorry!

Then it even more important to have a more secure way at default, and instructions with it, oldfashion less secure to be more customer friendly is deadly nowadays! ( only secure and modern ways should be allowed to connect annd have acces to that kind of accounts shared and so on!

Your handling for that makes it very ( to easy) for hackers and BOTS, to set up DDOS an other culprick that attacks (ouR) other servers and places.
You are the first responsible to have and set enough security on your boxes and to let yor customers in with only secure enough practices and strict folowing guidlines. ( if your boxes proofed to be hacker source or used by hackers you have also problems if your are to ..... )

Let me guess do you change automaticly/force every admin/user password after some time?

You can force some basic Content security policy's in your hosts file for example to ( friendly) force your clients to a better and safer use of their sites. ( ofcourse providing them with instructions and so on) Then shift the good/secure client and bad/unsecure clienst to different boxes be transparant and tell them on wich box they are. ( the ones with clients that respect your security guidelines, or the one that have some disrespect ( old not updating software, passwords to easy, old no more secure apps / protocols and so on )

So the can choose the be on the more secure box if they work secure themselves to!
No normal Customers wants to be on a messy BOX where to much is possible to hapen.....

Don''t take my post personal, but these kind of handling and way of using in IT is maybe the main cause of so much hacked and Bot problems!

IN a howto ( only your users have acces) you could have default safe configs for winscp for example with custom port, path and bashshell, then they only have to supply themselves user and pass....

Blocking IP's in my opinion is only helpfull to have less .... traffic as also the brute force.., but for security itself you have to have strict rules/settings and workingpolicies!
 
Last edited:
Then it should also possible to assign that (sftp) user a separate bash shell i don't know how to do that in DA but there you can set some more open or restrict.

When running ProFTPd+mod_sftp in order to allow SFTP you don't give your users an access to bash/shell.

The mod_sftp module implements the SSH2 protocol and its SFTP subsystem, for secure file transfer over an SSH2 connection. This module supports the SFTP and SCP file transfer protocols; it does not support shell access.

And users are chrooted to their homedirs by default. Additional FTP accounts created in DIrectadmin are also usable here and their access directory can be changed per your choice.

http://www.proftpd.org/docs/contrib/mod_sftp.html
 
When running ProFTPd+mod_sftp in order to allow SFTP you don't give your users an access to bash/shell.

The mod_sftp module implements the SSH2 protocol and its SFTP subsystem, for secure file transfer over an SSH2 connection. This module supports the SFTP and SCP file transfer protocols; it does not support shell access.

And users are chrooted to their homedirs by default. Additional FTP accounts created in DIrectadmin are also usable here and their access directory can be changed per your choice.

http://www.proftpd.org/docs/contrib/mod_sftp.html

Thanks yup even better so.
Then don't use the main useraccount for ftp is in this combination also better. ( if hacked credentiALS only FTP) and i don't know that miner.... but could it be blocked afterwards ( after installed by hacker/bots) with the right content security and some other policy's ? https://securityheaders.io/
 
Back
Top