Vsftp server brute-force intrusion protection

Vsftp has the same issues as ssh. A large number of "hackers" are trying to test the security of my servers. Thank you very much. To make it easier for them to intrude, I found a small software to prevent brute-force intrusion. I tested his ftp intrusion protection. Pretty good. ssh won't be tested. The software I introduced previously is very useful.

Fail2ban Installation
Centos5 is easy to install. yum can be installed. Of course, the premise is to install the Centos extension package I mentioned.

# Yum install fail2ban
You can also visit their official website.
Http://www.fail2ban.org/wiki/index.php/Main_Page

Fail2ban can block many brute-force intrusion services, such as apache, postfix, exim, named, qmail, sasl, ssh, webmin, and wuftpd.
You can view all the parts in the filter. d directory.
 

# Ls-l/etc/fail2ban/filter. d/
Total 80
-Rw-r -- 1 root 704 Feb 28 apache-auth.conf
-Rw-r -- 1 root 2396 Mar 6 apache-badbots.conf
-Rw-r -- 1 root 650 Mar 5 apache-noscript.conf
-Rw-r -- 1 root 444 Mar 6 apache-overflows.conf
-Rw-r -- 1 root 1036 Mar 1 common. conf
-Rw-r -- 1 root 609 Feb 28 05:44 courierlogin. conf
-Rw-r -- 1 root 584 Feb 28 05:44 couriersmtp. conf
-Rw-r -- 1 root 606 Feb 28 05:44 exim. conf
-Rw-r -- 1 root 887 Feb 28 named-refused.conf
-Rw-r -- 1 root 584 Feb 28 05:44 postfix. conf
-Rw-r -- 1 root 875 Mar 6 05:53 proftpd. conf
-Rw-r -- 1 root 794 Feb 28 pure-ftpd.conf
-Rw-r -- 1 root 599 Feb 28 05:44 qmail. conf
-Rw-r -- 1 root 643 Feb 28 05:44 sasl. conf
-Rw-r -- 1 root 1379 Mar 6 sshd. conf
-Rw-r -- 1 root 620 Feb 28 sshd-ddos.conf
-Rw-r -- 1 root 758 May 7 vsftpd. conf
-Rw-r -- 1 root 820 Feb 28 webmin-auth.conf
-Rw-r -- 1 root 308 Feb 28 05:44 wuftpd. conf
-Rw-r -- 1 root 841 Mar 6 xinetd-fail.conf

Fail2ban Configuration
After fail2ban is installed, the main setting files are/etc/fail2ban/jail. conf and fail2ban. conf. fail2ban. conf. Correct, but we can use the default value.
Well, we usually set it. It's too easy to set it. You can modify the configuration file jail to control all the above services.
# Vim/etc/fail2ban/jail. conf

[DEFAULT]
# Global settings
# IP address range not included. If there are more than two groups, use blank space as the interval 192.168.250.0/24
Ignoreip = 127.0.0.1

# Set the time (in seconds) when the IP address is blocked. If the value is-1, the IP address is permanently blocked.
Banktime = 600

# Set the maximum number of times maxretry is reached.
Findtime= 600

# Allowed attempts
Maxretry = 3

# Category settings
# Sshd brute force intrusion protection

[Ssh-iptables]

Enabled = true
Filter = sshd
Action = iptables [name = SSH, port = ssh, protocol = tcp]
Mail-whois [name = SSH, dest = root]
Logpath =/var/log/secure
# Set the number of times here
Maxretry = 5

# Vsftpd brute-force intrusion protection

[Vsftpd-iptables]

Enabled = true
Filter = vsftpd
Action = iptables [name = VSFTPD, port = ftp, protocol = tcp]
Sendmail-whois [name = VSFTPD, dest = you@mail.com]
Logpath =/var/log/secure
Maxretry = 3
Banktime = 1800

We recommend that you set maxretry to 3 to block three errors, and change logpath (in Centos5 and Rhel5) to/var/log/secure.

Then we set to start the service:
# Chkconfig -- level 2345 fail2ban on
# Service fail2ban start

Fail2ban test and view

Filter and check the syntax test command. You can use this command to check it.

# Fail2ban-regex/var/log/secure/etc/fail2ban/filter. d/vsftpd. conf
After fail2ban is installed, run the iptables command. The following iptables rules are added.

# Iptables-L-nv

Chain INPUT (policy ACCEPT 231 M packets, 51G bytes)
Pkts bytes target prot opt in out source destination
97 5294 fail2ban-VSFTPD tcp -- ** 0.0.0.0/0 0.0.0.0/0 tcp dpt: 21

Chain fail2ban-VSFTPD (1 references)
Pkts bytes target prot opt in out source destination
20 998 DROP all -- ** 220.249.41.163 0.0.0.0/0
77 4296 RETURN all -- ** 0.0.0.0/0 0.0.0.0/0

Of course, fail2ban also provides a command to query

# Fail2ban-client status vsftpd-iptables
Status for the jail: vsftpd-iptables
|-Filter
|-File list:/var/log/secure
|-Currently failed: 0
| '-Total failed: 6
'-Action
|-Currently banned: 1
| '-IP list: 220.249.41.163
'-Total banned: 1