view · edit · print · history

How To Setup Automatic Blocking of IPs? Pounding on VSFTPD

My poor slug gets pounded on constantly by 'script kiddies' and the log files get very large and the whole thing is a bit offensive...:) So to defend poor 'Linky', I have finally installed this system to block those IPs?.

This is based upon a perl script originally written by 'destuxor' at: http://forums.gentoo.org/viewtopic-p-3282899.html and edited by 'TauRush?' in the same forum. The script runs periodically via cron and examines the vsftpd.log file for multiple failed login attempts. It then tells iptables to block the IP address and logs it to banned.log.

To do this, you need perl, iptables and cron. So use ipkg to install them. Make sure that the iptables kernel modules are inserted. Run 'depmod -a' to update the module dependency lists and then run 'modprobe iptable_filter' which should also insert ip_tables. Run 'lsmod' to make sure they show up.

#!/usr/bin/perl -w                                                               
# destuxor (wjholden@gmail.com) - 4/26/2006                                        
# TauRush (snakesandarrows@gmail.com) - 3/17/2007                                   
# A simple script to go through a VSFTPD log and block people who have              
# unsuccessfully attempted to log in.                                              

#configuration options:
$logfilename = '/var/log/vsftpd.log'; # location of your logfile.                   
$allow_exceptions = 1; # if you wish to specify a file to put exceptions into,      
                       # say 1 here, otherwise put 0.                               
$exception_file = '/var/log/banned.log';  # if you said 1 above, put your filename h
$max_failures = 5;    # maximum number of failures someone can have before          
                      # getting blocked.                                            
#end of configuration options                                                       

$command = 'grep \'FAIL LOGIN\' '.$logfilename.' | sed -r \'s/^.{0,}Client .//\' | s
ed -r \'s/\"//\' | uniq -c';                                                        

@connected_ips = `$command`;                                                        

undef %noblock;                                                                     
if ($allow_exceptions == 1) {                                                       
  open (FH, $exception_file) or die "$!\n";                                         
  @exceptions = <FH>;                                                               
  close (FH);                                                                       

foreach $ip (@exceptions) {                                                         
# Added by TauRush to chop LF character                                             
  chop ($ip);                                                                       
  $noblock{"$ip"} = 1;                                                              

foreach $host (@connected_ips)                                                      
  @info = split(/\s+/, $host);                                                      
  if (($info[1] > $max_failures) and !$noblock{$info[2]}) {                         
      system("/usr/sbin/iptables -I INPUT 1 -s $info[2] -j DROP");                  
# 3 lines added by TauRush to create banned.log file                                
      open FILE,">>$exception_file" or die "Unable to open file!\n";                
      print FILE "$info[2]\n";                                                      
 close FILE;                                                                        

So, paste the text above into a text file in /etc named 'banip.prl' and chmod it so it is executable 'chmod 777 /etc/banip.prl'. You should be able to run it and see if perl and iptables are installed and in the expected places. Be prepared to fix up the formatting so it looks like above and make sure that there are no leading blank lines.

Now, if things are ok so far, add an entry to crontab so that it runs every 2 minutes 'crontab -e' and the entry looks like '2 * * * * /etc/banip.prl'. Note that crontab launches 'vi' for a text editor so use 'i' to insert text, press ESC when you are done inserting text and enter ':w" to write it and ':q' to exit.

I did a 'touch /var/log/banned.log' to make sure that the file actually existed. The file must exist for the routine to work properly. It will indicate the error.

Now, if everything is working and the iptables kernel modules are actually inserted, the vsftpd.log table will be examined every 2 minutes and any IP addresses that fail more than 5 times will be banned and reported in the banned.log and your faithful slug will get some rest.

Note that this is how it worked out for Openslug-2.7-beta and the locations may be a bit different so just run the script and fix the errors, if any. Also, remember that the /etc directory is not in the PATH so you will have to use the full path and name to run the script from there. You could put it in usr/local/bin and avoid that problem. You can watch the contents on banned.log and vsftpd.log to see if it is working.

Many thanks to the people who have developed the script.

view · edit · print · history · Last edited by SDM485.
Originally by SDM485.
Page last modified on June 11, 2008, at 02:49 PM