# ftpd, any way to limit logins?



## JaredN (Apr 12, 2009)

I'm pretty much a FreeBSD noobie and was curious if there was a way to limit the # of incorrect logins someone can have before denying attempts for say, 5 minutes or so? 

Basically I'm getting dictionary attacked and I do have Anonymous FTP disabled.

Thanks for the help in advance!

-Jared



> Apr  7 03:47:23 FreeBSD ftpd[97693]: FTP LOGIN FAILED FROM gecko.npgx.com.au, Administrator
> Apr  7 03:47:24 FreeBSD ftpd[97694]: FTP LOGIN FAILED FROM gecko.npgx.com.au, Administrator
> Apr  7 03:47:25 FreeBSD ftpd[97695]: FTP LOGIN FAILED FROM gecko.npgx.com.au, Administrator
> Apr  7 03:47:25 FreeBSD ftpd[97696]: FTP LOGIN FAILED FROM gecko.npgx.com.au, Administrator
> Apr  7 03:47:41 FreeBSD last message repeated 5 times


----------



## anomie (Apr 12, 2009)

Before we get into that, is ftp an absolute requirement for your situation? i.e.: Could your users be equally satisfied with sftp? If so, I'd strongly recommend moving in that direction. Keep in mind that authentication credentials are sent in _clear text_ over ftp, so it may be that someone can grab an account pretty easily. Additionally, there is a whole genre of utilities for ssh/sftp (e.g. security/denyhosts) that will lock out users after enough failed attempts. 

If ftp with shell user authentication is indeed a requirement, then the short answer to your question is: I don't know of a utility that scans ftp.log and reacts based on failed attempts (but it should be trivial enough to write something). PAM might have an answer for you as well, but I haven't done the research to confirm that. 

I'd start looking at other ways you can lock this down such as tightening your packet filtering ruleset and ensuring that user accounts and ftpd itself are somewhat "hardened". If you describe your usage scenario some more, maybe folks can help with advice.


----------



## JaredN (Apr 12, 2009)

Actually I'm just doing this for fun.  Myself and a couple other people use the ftp server and I'm mainly just using this box to learn more.  I definitely could do sftp instead (which will most likely be the next step) but I wanted to start with the basics, as it were.  I am aware that ftp is unsecure and cleartexts passwords but at this point I'm not worried about the data on the system as much as I am in learning ABOUT the system.  That way, in the future, I'll be able to implement better security practices and know from experience the pros and cons of a solution that I choose.

Thanks for the fast response


----------



## anomie (Apr 13, 2009)

In that case, let me suggest a simple approach to help cut down on illegitimate ftpd access attempts. (Read: this isn't a comprehensive solution, but I consider it low hanging fruit.) 

Back up your existing /etc/hosts.allow file, and then replace its contents with only: 

```
ftpd : .friend.isp.domain : allow
ftpd : .other.friend.isp.domain : allow
ftpd : ALL : deny
```

I'm presuming that would be easy information to get about your friends. You can add as many entries as are needed. (If you're able to get reliable IP address info, even better -- those can be used with PF or IPFW rulesets.) 

Finally, be sure to read the ftpd(8) manpages. There are some useful mechanisms available that might help, depending on your needs: 

 /etc/ftpchroot
 nologin shell
 extra logging with -l option
 no RETR with -o option
 etc.


----------



## JaredN (Apr 13, 2009)

I didn't want to only allow specific IP's because sometimes I connect remotely, from a hotel, who knows.  I really just wanted to prevent against an obvious brute-force attack.  Yesterday I ended up just denying the specific IP in question for the day in the hosts.allow file.

I ended up using sshguard for a permanent solution at the recommendation of a friend.  I believe it's all set up correctly but I'll have to wait for the next brute forcer to try  

Thanks for all of the help and your suggesstions!


----------



## edhunter (Apr 21, 2009)

try it yourself )
Make four bad logins from not whitelisted host. And on the fifth you want be able to connect to the machine at all.

I'm using ssh-guard too.


----------



## SirDice (Apr 21, 2009)

Indeed, security/sshguard will also monitor freebsd's ftpd. I'm using it for my ssh, I've never run ftpd. Works fine, it's easy to set up and keeps my logs nice and clean.


----------

