Slowing down or preventing ftp hack attacks

My server is running Centos 4.3 w/ Proftpd 1.2.10 server. I have for the past week getting attacks on the server from “script kiddies”. They are using apparently the same script that all try to get in using the username “Administrator”. I have both APF and BFD installed. BFD is detecting these attacks and blocking the ip address but everyday I get one or two more attempts from different ips which are promptly blocked.

Here is a list of ips currently blocked. There is nothing consistent about them. Almost none of them are even coming from the same network.

Is there anyway to slowdown or completely stop these attacks without having to change the ftp server port? I’ve already changed the ssh port due to one happening on that.

You could leave BFD to block them and then tell proftpd to disallow all with username of “Administrator”

Well user “Administrator” doesn’t exist anyways. Would the disallow rule make any difference and if it does how would I add it to the proftpd.conf file?

Well it would just mean that the attacks would use slightly less resources, as the ftpd would only read the config instead of looking thru /etc/passwd or whatever method it normally uses.

So that means less sql queries… ok.

I believe the ProFTP default setup with interworx looks up all usernames in an “iworx” database somewhere.

This is corect. All SiteWorx created FTP accounts ( ) are stored in a database.

It also uses /etc/passwd though doesn’t it? Shell-only users are also able to login to FTP, and they’re not in the Iworx database…

The only shell users I have logged into “FTP” with was SFTP which uses some kind of SSH protocol and not proftpd. I haven’t tried a shell login user with regular proFTPd so it may work, just didn’t think it would.

EDIT: I’d also like to note in order for me to use this SFTP (via SSH) I had to enbale the shell for the users I wanted to be able to SFTP. I was able to do this without giving them shell access which I explained in another thread in this forum somewhere :slight_smile:

I briefly considered mentioning the same thing, but the point of the passwords it that it’s more scure. If this continues to be a problem I’d advice you to change the port.

Yes. It looks like I’m going to have to. The most recent one was a random username hit. The last thing I need is my server compromised. So now I’ve changed the port to 2121 (a common alternate port) and added ‘RootRevoke on’ which makes the server drop root privilages completely. This will cause no side effects since it is now operating on a port greater than 1024. The only potential side-effect was the inability to do active transfers and it was only an issue if you were using a port less than 1025.

I did some checking and even normal ftp access requires a shell account of some sort. I added the item you mentioned before in /etc/shells. I also added /bin/false to the list as this would be able to create a ftp only user. SFTP won’t work using this but FTPS and normal FTP will. Supposedly /bin/true will also work for this. In both respects the user will successfully connect, see the current MOTD file (if any), and then get disconnected when attempting to connect via ssh.

(I’m going to go off-topic for a bit)

Just so you know this is the contents of my /etc/motd file. Pretty standard stuff.

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

I am probably going to put a similar message for the ftp too.