i noticed in my log that my ftp is getting hacked. thousands of unsuccessful attempts to connect. All from the same IP. Is there a way to automatically block an IP after like 10 unsuccessfull attempts at logging in? they appear to change the user id on each try.
If you are using pf(4), you can just use the following rules:
Code:
block quick from <bad_hosts>
# Allow ftp connections globally, but rate limited
pass in quick proto tcp from any to any port 21 keep state\
(max-src-conn-rate 3/180, overload <bad_hosts> flush global)
The magic is in the max-src-conn-rate bit. This limits 3 connection attempts in 3 minutes. If more than that come in, it'll add the IP to the bad_hosts list and nuke any of their existing connections. No separate port installation needed. See pf.conf(5) for more information.
This is an ugly kludge. You apply the same limits on legitimate users as on attackers. SSHGuard can parse the logs, detect attacks and filter the source IP addresses for common FTP servers.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
