Home Download Debian

Block brute force FTP attacks with iptables

If you leave your FTP server to listen on port 21, you will end up dictionary based brute force attacked. If you don't want to consider changing the port, you should add some rules to iptables to limit the connection per minute / ip, making the life harder for an attacker.

sudo iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --set --name FTPCON
sudo iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name FTPCON -j DROP

Explanation: the first line identifies and names all the NEW connections ending up on port 21, interface eth0; the second line limits the NEW connections to 8 hits per minute by dropping them. This line should be among your first lines of iptables firewall rules and before the allow FTP rule (if you have one).

If you would like to log all the FTP connections that are dropped:

sudo iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --set --name FTPCON
sudo iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name FTPCON -j LOG --log-prefix 'FTP REJECT: '
sudo iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name FTPCON -j DROP

The logging file should be /var/log/syslog.

Note: These rules will not work after the next reboot, you will have to reload them at each start. My choice is a startup script.

Resources: serverfault.com, kevin.vanzonneveld.net

0 comments:

Post a Comment