How to stop proftpd brute force attempts by username?

[beansbaxter]

Every day, on every hour, I get an email from DirectAdmin saying there was a brute force attempt by a user using proftpd, for example:

User admin has 153 failed login attempts: proftpd1=153

The only thing that changes is the user name and the number of failed login attempts. All of these brute force messages are associated with proftpd.

New websites, built from scratch, have been put in place so I am 100% sure there are no suspicious files that consist of the website.

These user names are not users setup in DirectAdmin. I believe these were usernames that were once used for the websites, before they were moved to this DA server. And those old usernames are still being used to attempt to login.

This has been going on for months and I just want to be rid of all these attempts/emails.

Is it possible to blacklist all usernames for this specific issue?

What other options do I have?

If it matters, I'm running DA 1.42.1 on CentOS 5 with the latest CSF 5.73.

Thanks in advance!

 

[beansbaxter]

Friendly bump... can anyone assist please?

 

[Themis]

Friendly bump... can anyone assist please?

You can't stop brute force attacks but you can block the IPs after a certain number of failed login attempts.
The guide "I wish to have a block_ip.sh so I can block IPs through DirectAdmin" is here: http://help.directadmin.com/item.php?id=380
OR
If you have CSF + LFD installed, create a script /usr/local/directadmin/scripts/custom/block_ip.sh:

#!/bin/sh
/etc/csf/csf.pl -td $ip 86400
exit 0

chmod block_ip.sh to 700
This enables in DirectAdmin Brute Force monitor a Block IP button, which gives you possibility to block manually an IP. In the above script the IP is temporarily blocked for 24h (86400 sec).

If you want to block IP permanently replace line /etc/csf/csf.pl -td $ip 86400 with /etc/csf/csf.pl -d $ip

If you want to automatically block IPs, create a script /usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh:

#!/bin/sh
SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;

chmod brute_force_notice_ip.sh to 700.

When the system sends an email about a brute force attack then at the same time the script will block that IP.

 

[Greenhost]

Check this link.

 

[beansbaxter]

Thanks for those suggestions. The problem I'm having is the IP changes too frequently for that to stop it all. The only constant is the username attempt, which is what I was hoping/asking to see if that can be the stop filter for these attempts.

To mitigate this issue, I've since disabled the proftpd service and will just enable it for the few times I need FTP access.

Thanks.

 

[Themis]

...the IP changes too frequently for that to stop it all.

You can set the number of failed login attempts to 5, for example. This way every 5 failed login attempts a message will be send and the IP will be blocked.

 

[beansbaxter]

Thanks for your help!

 

[JohnPal]

I just added the block_ip.sh and brute_force_notice_ip.sh on my DA install...thank you.

Am I correct to think that I can now remove all Skip List entries now that CSF will be blocking the IPs rather than the Brute Force Monitor?

 

[Spook]

The 'add to skip list' feature, AFAIK, is to skip the IP when DA sends alerts to the message system / e-mail.

You'll need to discover what overlapping features between the two firewall are. Perhaps 'skip list' is of use even while running CSF?

Might be worth while to hang onto a backup of /usr/local/directadmin/data/admin/brute_skip.list for good measure.

You're much more adventurous than I -- learning BFM & IPTables (among tons of other stuff!) is all I can take right now.

 

[nobaloney]

I'm considering turning off brute-force monitoring and just staying with CSF, which seems highly effective, a lot more configurable, and saves a lot of lines in the message system. Anyone care to comment on whether or not it seems to work for them?

Jeff