FTP port 21 brute force protection

[amplatfus]

Hi,

I am looking for port 21 brute force iptables protection.
I have until now:

iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp --dport 21 -m state --state NEW -m limit --limit 3/min -j ACCEPT
iptables -I FORWARD -p tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT

Please confirm me. I am on right path? What should I change?
PS: I have activated the FTP access from webgui. I do not know if I should delete first line from the code.

Thank you!

 

[redhat27]

I've not throttled ftp myself (have it disabled altogether), but I suspect the approach should not be much different from throttling SSH

You can check out these sites:
https://serverfault.com/questions/2...-temporarily-block-ftp-server-brute-force-att
http://debian-tutorials.blogspot.com/2012/05/block-brute-force-ftp-attacks-with.html

I would recommend using scp or sftp with pubkey authentication, ftp is insecure.

 

[amplatfus]

Could you please assist me? I have tried both but without success. I do not know in what direction to go. Mainly below 2 scenarios I have tried with FTP activated from Merlin FW GUI:
1.

iptables -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftpattack --set
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --name ftpattack --rcheck --seconds 60 --hitcount 4 -j LOG --log-prefix 'FTP REJECT: '
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --name ftpattack --rcheck --seconds 60 --hitcount 4 -j REJECT --reject-with tcp-reset

2.

iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --set --name FTPCON
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name FTPCON -j LOG --log-prefix 'FTP REJECT: '
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name FTPCON -j DROP

PS: also tested with br0 instead eth0.

Please let me know if you have a hint. Thank you in advance.

 

[redhat27]

Things to try first; try the FORWARD chain, also this is from your OP:

I have until now:

iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp --dport 21 -m state --state NEW -m limit --limit 3/min -j ACCEPT
iptables -I FORWARD -p tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT

Please confirm me. I am on right path? What should I change?

try switching the last 2 lines:

iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -p tcp --dport 21 -m state --state NEW -m limit --limit 3/min -j ACCEPT

or you can try my untested version:

iptables -N FTPBFP
iptables -A FTPBFP -m recent --set --name FTP --rsource
iptables -A FTPBFP -m recent --update --seconds 60 --hitcount 3 --name FTP --rsource -j LOG --log-prefix 'FTP BruteForceBlock: ' --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A FTPBFP -m recent --update --seconds 60 --hitcount 3 --name FTP --rsource -j REJECT
iptables -A FTPBFP -j ACCEPT

 

[amplatfus]

Thank you. I tried. No luck until now. I am testing by enter wrong user/ pass many times and then after few seconds with correct user/ pass. In all scenarios I am logging without issues after many wrong user/ pass entered,

1. Please, am I testing right?

On the other hand I see below entries in iptables automatically added.
2. Can I use something similar?

-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP

Thank you.
Best regards!

 

[sfx2000]

I've not throttled ftp myself (have it disabled altogether), but I suspect the approach should not be much different from throttling SSH

Why is FTP even open on a home network in the first place? It's about as bad as Telnet from a security standpoint...

 

[redhat27]

@sfx2000 Yes, I agree and I did point that out.

I am testing by enter wrong user/ pass many times and then after few seconds with correct user/ pass.

@amplatfus Close the connection and reconnect... It will not matter if you are already connected and retry multiple times with different user/password. The connection is throttled, not the login attempts.

Also remember to flush out the iptables if you are switching to test a different approach, but I think you already know that.

 

[amplatfus]

I closed the connection but is still not working. I am using this instead of SFTP because is easier to use remote without any software, available in browser.

I think I will move to Martineau version: How to Dynamically Ban Malicious IP's using IPSet.

Thank you all for promt support!

 

[redhat27]

I doubt that you can have the brute force attack blocked by the script if you have port 21 open for your own use.

 

[amplatfus]

I doubt that you can have the brute force attack blocked by the script if you have port 21 open for your own use.

I understood that it port 21 will be protected with Ban Malicious IP's using IPSet Martineau version. My understanding is that it will block the incoming IP who generated the brute force attack. And I have active the iblocklist.

I see those as should be enough. Please, am I missing something?
Thank you again!

 

[redhat27]

It will not protect you if you have the ftp port open yourself. But if you have the ftp port closed, then anyone who tries to connect on the ftp port will be blocked normally by your routers firewall. I believe that script will put the blocked IPs (the ones that are already blocked by the firewall) into a ipset so that in case they try to connect again, they will be blocked in a different way (via the ipset list match)

Note that if you have your ftp port closed, you'll not be able to connect yourself (unless you use a different port for ftp, but then again other attackers can also connect on that port.) Please clarify from the script maintainer what you are trying to do and whether it would fit your purpose.