Ban Pure-FTPd login attempts by IP after three failures
Mon, Nov 9 2009 at 7:30AM PST • Contributed by: Anonymous
Mon, Nov 9 2009 at 7:30AM PST • Contributed by: Anonymous
I run an FTP server on my machine, using Pure-FTPd. Lately, I was getting a lot of noise in my logs about unknown people trying to gain access on my FTP server. I wanted to automate the task of looking through the log and banning the bad IPs, so that my logs will be kept clean from all those try/fails attempts.
What I came up with is a bash script executed as a launchd user daemon whenever the file /var/log/ftp.log is being modified. Parts of the code come from , and irc2samus on the #bash channel (IRC on freenode.net) made the rest.
I thought this might help others, too, so here's the code.
I put the following in /etc/autoban/ftp_ban.sh:
To make this script run automatically as a launchd user daemon, I used Lingon, as explained on Sergei's page. In Lingon, create a new User Daemon and fill the form out like this:
[robg adds: I haven't tested this one.]
What I came up with is a bash script executed as a launchd user daemon whenever the file /var/log/ftp.log is being modified. Parts of the code come from , and irc2samus on the #bash channel (IRC on freenode.net) made the rest.
I thought this might help others, too, so here's the code.
I put the following in /etc/autoban/ftp_ban.sh:
#!/bin/bash
# this script scans /var/log/ftp.log file for IPs that
# repeatedly try to connect the server without proper credentials
# and ban them after their 3rd fail, so we can have clean logs
#
export secure_log=/var/log/ftp.log
export log=/var/log/ftp_ban.log
function ban_host {
rule_numbers=$(ipfw show | awk '{print $1}')
lowest_rule=1
lowest_rulet=$(printf %5.5i $lowest_rule);
while [[ "$rule_numbers" =~ "${lowest_rulet}" ]]; do
lowest_rule=$(( $lowest_rule + 1 ));
lowest_rulet=$(printf %5.5i $lowest_rule);
done
# the actual banning happens here
ipfw -q add $lowest_rule deny ip from $1 to any
echo "$(date +'%D %T') : Banned $1">>"$log"
}
export -f ban_host
fgrep 'Authentication failed for user' "$secure_log" | while read line; do
line=${line#*(\?@}; line=${line%)*}; echo $line;
done | sort | uniq -c | while read count suspected_host; do
if ((count>3)); then
ipfw show | fgrep "$suspected_host" | fgrep -q deny || ban_host "$suspected_host"
fi
done- In the first field, enter com.yourName.whatever.youWant
- In the second field, point to the /etc/autoban/ftp_ban.sh script.
- Finally, locate the field named Run if the file is Modified and choose /var/log/ftp.log
- Skip everything else, and don't forget to click the Save button
[robg adds: I haven't tested this one.]
•
[3,083 views]
