# FTP server being hacked



## jubutld (Jul 21, 2011)

i noticed in my log that my ftp is getting hacked.  thousands of unsuccessful attempts to connect.  All from the same IP.  Is there a way to automatically block an IP after like 10 unsuccessfull attempts at logging in?  they appear to change the user id on each try.

Thanks!!


----------



## rusty (Jul 21, 2011)

security/py-fail2ban


----------



## SirDice (Jul 21, 2011)

Depending on the FTP server security/sshguard can also protect FTP.


----------



## gordon@ (Jul 27, 2011)

Similar to the sshd thread found here: http://forums.freebsd.org/showthread.php?t=24869

If you are using pf(4), you can just use the following rules:


```
block quick from <bad_hosts>

# Allow ftp connections globally, but rate limited
pass in quick proto tcp from any to any port 21 keep state\
        (max-src-conn-rate 3/180, overload <bad_hosts> flush global)
```

The magic is in the max-src-conn-rate bit. This limits 3 connection attempts in 3 minutes. If more than that come in, it'll add the IP to the bad_hosts list and nuke any of their existing connections. No separate port installation needed. See pf.conf(5) for more information.


----------



## Crest (Jul 27, 2011)

This is an ugly kludge. You apply the same limits on legitimate users as on attackers. SSHGuard can parse the logs, detect attacks and filter the source IP addresses for common FTP servers.


----------

