1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need a script to drop multible ftp login attempts

Discussion in 'Tomato Firmware' started by LanceMoreland, Aug 13, 2011.

  1. LanceMoreland

    LanceMoreland Network Guru Member

    I am looking for a script that would drop or block ip's that are attempting to log on to my ftp drive using admin as the user name after a given number of failed attempts. I have been using "iptables -I FORWARD -d 124.160.67.0/24 -j DROP" in the firewall script area but that is after the fact. I would like a script that would automatically block the ip address for more than 5 failed attempts. Can anyone help me with that?
     
  2. dkirk

    dkirk Network Guru Member

  3. ntest7

    ntest7 Network Guru Member

    Here's a little firewall script that limits the number of connections. This isn't able to distinguish legit/successful from failed logins, so the trick is to block hosts that make "too many" connections. A long blocking period isn't necessary as most attack bots will give up after just a couple minutes.

    Add the following to your Administration-Scrips-Firewall page and reboot. Any host making more than --hitcount attempts during --seconds will be auto-blocked until they go away for --seconds.

    The example below blocks any host that makes more than 10 connections during a 10 minute period (most bots will make 10 connections within a few seconds). Adjust as needed.

    Code:
    iptables -N LIMIT
    iptables -A LIMIT -m recent --set --name vlimit
    iptables -A LIMIT -m recent --update --seconds 600 --hitcount 10 --name vlimit -j DROP
    iptables -I wanin -p tcp --dport 21 -m state --state NEW -j LIMIT
    (I didn't test the above syntax fully; you might need to make some minor tweaks. You can find lots of examples by googling something like "block brute force with iptables")
     
  4. LanceMoreland

    LanceMoreland Network Guru Member

    Thank you. Just what I was looking for.
     
  5. kthaddock

    kthaddock Network Guru Member

    I have tested this and seems not to work, maby I'm missing something.
    Put that in "firewall" and hit "save", turned internal protect off.
     
  6. LanceMoreland

    LanceMoreland Network Guru Member

    Not sure what you mean by: "turned internal protect off" What protection?
     
  7. kthaddock

    kthaddock Network Guru Member

    Limit Connection Attempts SSH / Telnet every 6 seconds 40

    Limit Connection Attempts every 6 seconds 40
     
  8. LanceMoreland

    LanceMoreland Network Guru Member

    Well it didn't work for me either. I had hundreds of logon attempts to my ftp drive today from the same IP. Anyone have a script that is working?
     
  9. ntest7

    ntest7 Network Guru Member

    Please describe your setup better. Is the ftp an internal site that your tomato forwards to? are you running one of the tomato mods that includes an ftp server?
     
  10. LanceMoreland

    LanceMoreland Network Guru Member

    I am running Teddy Bears Tomato USB on a Netgear WNR3500L. The router forwards to a Western Digital Worldbook NAS drive with ftp services set up on it. I am currently trying this script to see if it will stop the attacks:

    iptables -N SSH_CHECK
    iptables -A INPUT -p tcp --dport 21 -m state NEW -j SSH_CHECK
    iptables -A SSH_CHECK -m recent --set --name SSH
    iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

    I know that I could change the port to eliminate a good percentage of them but I would like to keep it on the default port 21 if possible. Dumping the client connection after 3 or 4 failed attempts is the goal.
     
  11. ntest7

    ntest7 Network Guru Member

    You might need to use "-A wanin" rather than "-A INPUT", but otherwise it should work. The script I posted at the top of this thread works too.

    Be aware the firewall counts connections, not failed attempts. Note the difference between "connections" and "failed attempts".
     
  12. LanceMoreland

    LanceMoreland Network Guru Member

    For others that may need this, I have a script now that seems to be working. I can see that an IP has attempted to connect with my ftp site but the log is not full of hundreds of failed logon attempts. So I believe it is working.

    iptables -N SSH_CHECK
    iptables -A WANIN -p tcp --dport 21 -m state NEW -j SSH_CHECK
    iptables -A SSH_CHECK -m recent --set --name SSH
    iptables -A SSH_CHECK -m recent --update --seconds 300 --hitcount 4 --name SSH -j DROP
     
  13. LanceMoreland

    LanceMoreland Network Guru Member

    Well, I spoke too soon. I have 100o's of log entries like this. Any idea in how to kick them?

    2011/09/05 23:45:09 [admin] FAIL LOGIN: Client "113.105.128.254"
    2011/09/05 23:45:08 [admin] FAIL LOGIN: Client "113.105.128.254"
    2011/09/05 23:45:08 [admin] FAIL LOGIN: Client "113.105.128.254"
    2011/09/05 23:45:07 [admin] FAIL LOGIN: Client "113.105.128.254"
    2011/09/05 23:45:07 [admin] FAIL LOGIN: Client "113.105.128.254"
    2011/09/05 23:45:06 [admin] FAIL LOGIN: Client "113.105.128.254"
    2011/09/05 23:45:06 [admin] FAIL LOGIN: Client "113.105.128.254"
    2011/09/05 23:45:06 [admin] FAIL LOGIN: Client "113.105.128.254"
    2011/09/05 23:45:05 [admin] FAIL LOGIN: Client "113.105.128.254"
    2011/09/05 23:45:05 [admin] FAIL LOGIN: Client "113.105.128.254"
     
  14. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Here's some code I found a while back (haven't implemented), maybe you can alter it to your needs... (this code is relevant for SSH failed logins)

     
  15. kthaddock

    kthaddock Network Guru Member

    I'm testing this script but I don't know if's working.

    Code:
    wanf=`get_wanface`
    iptables -N bruteprotect
    iptables -A bruteprotect -m recent --set --name shlimit --rsource
    iptables -A bruteprotect -m recent ! --update --seconds 60 --hitcount 4 --name shlimit --rsource -j RETURN
    iptables -A bruteprotect -j LOG --log-prefix "[DROP SHLIMIT] : " --log-tcp-options --log-ip-options
    iptables -A bruteprotect -j DROP
    iptables -I INPUT 3 -i $wanf -p tcp -m tcp multiport --dports 21:23,3389,2222,1194 -j shlimit
    iptables -I FORWARD 4 -i $wanf -p tcp -m tcp --dports 21:23,3389,2222,1194 -j shlimit
    iptables -D FORWARD `iptables --line-numbers -nL FORWARD | grep ESTABLISHED | tail -n1 | awk '{print $1}'`
    iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    Modified version
    Code:
    wanf=`get_wanface`
    iptables -N bruteprotect
    iptables -A bruteprotect -m recent --set --name shlimit --rsource
    iptables -A bruteprotect -m recent ! --update --seconds 60 --hitcount 4 --name shlimit --rsource -j RETURN
    iptables -A bruteprotect -j LOG --log-prefix "[DROP SHLIMIT] : " --log-tcp-options --log-ip-options
    iptables -A bruteprotect -j DROP
    iptables -I INPUT 3 -i $wanf -p tcp -m  multiport --dports 21:23,3389,2222,1194 -j shlimit
    iptables -I FORWARD 4 -i $wanf -p tcp -m multiport --dports 21:23,3389,2222,1194 -j shlimit
    iptables -D FORWARD `iptables --line-numbers -nL FORWARD | grep ESTABLISHED | tail -n1 | awk '{print $1}'`
    iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    One more
    Code:
    wanf=`get_wanface`
    iptables -N bruteprotect
    iptables -A bruteprotect -m recent --set --name shlimit --rsource
    iptables -A bruteprotect -m recent ! --update --seconds 60 --hitcount 4 --name shlimit --rsource -j RETURN
    iptables -A bruteprotect -j LOG --log-prefix "[DROP SHLIMIT] : " --log-tcp-options --log-ip-options
    iptables -A bruteprotect -j DROP
    iptables -I INPUT 3 -i $wanf -p tcp -m multiport --dports 21:23,3389,2222,1194 -j bruteprotect
    iptables -I FORWARD 4 -i $wanf -p tcp -m multiport --dports 21:23,3389,2222,1194 -j bruteprotect
    iptables -D FORWARD `iptables --line-numbers -nL FORWARD | grep ESTABLISHED | tail -n1 | awk '{print $1}'`
    iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
     
  16. LanceMoreland

    LanceMoreland Network Guru Member

    Thanks. I'll give this one a try and let you know if it works.
     
  17. LanceMoreland

    LanceMoreland Network Guru Member

    None of them worked for me. I still get the attacks.
     
  18. kthaddock

    kthaddock Network Guru Member

    Okey
    I useing the latest and no attacks, have my ssh to port 2222 and logg is free from attacks.

    Have you this enabled, then you have all attemps in logg. "Log FTP requests and responses"
     
  19. LanceMoreland

    LanceMoreland Network Guru Member

    here is my latest ftp log while using one of the scripts above:

    2011/09/20 06:16:06 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:05 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:05 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:05 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:04 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:04 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:04 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:04 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:03 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:03 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:03 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:03 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:02 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:02 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:02 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:01 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:01 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:01 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:01 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:00 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:00 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:00 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:16:00 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:59 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:59 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:59 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:58 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:58 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:58 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:58 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:57 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:57 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:57 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:57 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/20 06:15:56 [admin] FAIL LOGIN: Client "94.76.210.224"
    2011/09/22 18:15:17 CONNECT: Client "84.22.179.178"
     
  20. ntest7

    ntest7 Network Guru Member

    Firewall rules limit connections and not login attempts. The attacker can try many many login attempts over one connection.

    How many connections do you see in your log snippet above? Looks like one to me.

    Firewall rules limit connections, not login attempts.

    I don't think the busybox ftpd has an option to limit login attempts per connection.
     

Share This Page