# FTPD on FreeBSD



## hockey97 (May 21, 2015)

Hi, I need help on how to make my FTP server more secure.

 Recently, seen in some log files where attempts to hack my mail servers occurred. I did a google search on the ip and my ip and domain name. I found a few websites that specializes in hacking. I notice there's a person that is close to me that is making attempts to hack my servers. 

 I have apache, postfix, dovecot all using SSL.  The FTP server isn't using SSL. I just put in the rc.conf file to enable the ftpd server. The server works. I just now need help to figure out how to set it up to use ssl and where are the log files? I need to know where the log files are located and if not enabled how to enable them? 

 From what I hear and see, It  looks like they didn't succeed on hacking any of my servers. I would appreciate any help. 

Thank you for your time,
hockey97


----------



## SirDice (May 21, 2015)

Most of these attempts come from infected machines and are highly automated. SSL isn't going to stop anyone from trying to break in. The only thing SSL will do is make it a lot more difficult for somebody to read your network traffic. But unless somebody works at your ISP it's highly unlikely they're in a position to eavesdrop. Even switching from FTP to SFTP (not FTPS, there is a difference) won't stop the attempts. Getting brute-force attempts is just a fact of internet life. You're not being singled out, about 90% (perhaps even more) of the attempts are automated and are caused by infected machines. You just have to deal with them. 

That said, FTP is a bad protocol, it's old and all communication is in the clear. In this regard SFTP is a better alternative, this is FTP running over SSH, giving you the added security of SSH (key authentication, encryption, etc). But you'd still get automated brute-force attempts, only this time it's going to be SSH that's attacked. To combat brute-force attacks you could install something like security/py-fail2ban or security/sshguard. This still won't stop the attacks from happening but at least you can manage them.


----------



## hockey97 (May 21, 2015)

SirDice said:


> Most of these attempts come from infected machines and are highly automated. SSL isn't going to stop anyone from trying to break in. The only thing SSL will do is make it a lot more difficult for somebody to read your network traffic. But unless somebody works at your ISP it's highly unlikely they're in a position to eavesdrop. Even switching from FTP to SFTP (not FTPS, there is a difference) won't stop the attempts. Getting brute-force attempts is just a fact of internet life. You're not being singled out, about 90% (perhaps even more) of the attempts are automated and are caused by infected machines. You just have to deal with them.
> 
> That said, FTP is a bad protocol, it's old and all communication is in the clear. In this regard SFTP is a better alternative, this is FTP running over SSH, giving you the added security of SSH (key authentication, encryption, etc). But you'd still get automated brute-force attempts, only this time it's going to be SSH that's attacked. To combat brute-force attacks you could install something like security/py-fail2ban or security/sshguard. This still won't stop the attacks from happening but at least you can manage them.



Well found a person on the website hackforums.net asking questions using my ip and domain name. He scanned my ports and failed to find the netbios port opened. He is learning how to hack and is very aggressive and determined to hack.

He claims to have my username and password and yes  both aren't hard. I am thinking to change my password. However, I fear that one day the person is going to have full access to my FTP server on FreeBSD.

Is there any way for the FTP server to accept or restrict networks access? Is there a way to white list ip's and mac addresses with the FTP server built in FreeBSD?


----------



## Remington (May 21, 2015)

You can block his IP address in your firewall or use security/py-fail2ban.

FTP should never be used and should remain off.  SFTP is secure and more secure with a public/private key and a password will not be needed.  It'll be extremely difficult for him to hack into your server without a key.

If you're not going to be proactive in protecting your server then it'll be a matter of time before he breaks into your server and who knows what he'll do with it.


----------



## hockey97 (May 21, 2015)

Remington said:


> You can block his IP address in your firewall or use security/py-fail2ban.
> 
> FTP should never be used and should remain off.  SFTP is secure and more secure with a public/private key and a password will not be needed.  It'll be extremely difficult for him to hack into your server without a key.
> 
> If you're not going to be proactive in protecting your server then it'll be a matter of time before he breaks into your server and who knows what he'll do with it.




So, how would I enable SFTP? So, will it make it harder for him to break in?  There's no way to whitelist my ip addresses and mac addresses?


----------



## Remington (May 21, 2015)

First you need to generate a SSH key and configure your /etc/sshd.conf.  Read this guide.
https://www.digitalocean.com/commun...-key-based-authentication-on-a-freebsd-server

If you're using Windows then I would suggest you to download SFTP client, WinSCP from http://www.winscp.net, and select SFTP and add the public key.  You should be able to login to your server securely.

Yes it will make it difficult for him to break into your server without a key.


----------



## gkontos (May 21, 2015)

hockey97 said:


> He claims to have my username and password and yes  both aren't hard. I am thinking to change my password.


Sometimes, I get very confused reading...


----------



## hockey97 (May 22, 2015)

I tried to install security/py-fail2ban but ran into problems. I couldn't installed due to pkg being the old format. I read on FreeBSD forums that I needed up `portupgrade` pkg and then do a `pkg2ng`.

I followed this: https://forums.freebsd.org/threads/solved-pkg-update-failure.48287/

It says to use `portupgrade pkg`. I did this and everything was fine but I got a message saying libpkg is conflicting and should be upgraded.

So, I did `portupgrade libpkg` and now my server is semi-working. It looks like it upgraded mysql from 5.5 to now 5.6. I had gnome2 installed on my server. Now, that isn't working at all. It just happened.

Are there any rollback commands for the portupgrade?


----------



## Remington (May 23, 2015)

First, you need to turn off your FTP and do the SSH key.  This is far more important.  If you don't secure your server first then fail2ban will not help since hackers change their IP addresses all the time to get around the firewall.  Few people here have already told you to do that because we work in IT managing and securing servers.  Fail2ban is difficult to setup since it requires working knowledge of firewall such as PF or IPFW.  If you don't understand any of this then I highly suggest you to stick with SSH key and it is much easier to work with until you have full understanding how fail2ban, PF or IPFW works.

First, do the SSH authentication key then you can use SFTP securely.  It functions exactly the same as FTP and its secured.  You can login to your server with SSH authenticated key and there is no need to use the password.

Second, study PF or IPFW and set them up so you can close all ports except 22 for SSH.

Third, once you understand PF or IPFW then you can implement fail2ban to monitor the logs for SSH attacks and fail2ban can issue blacklisted IP address to PF or IPFW table.  That will stop SSH attacks at the firewall and SSH server will not see them anymore.


----------

