I see lots of failed FTP login attempts in my log file. How do I stop FTP bruteforce attack? What should I do to solve this problem under FreeBSD 7.x server operating systems?
You can easily stop bruteforce attacks by limiting connections per IP using pf firewall under FreeBSD or OpenBSD.
# vi /etc/pf.conf
Update it as follows:
# the lists of known FTPD attackers table <ftp-attacks> persist file "/etc/pf.ftp.block.list" # block all incoming connections from attackers on FTPD block in quick on $ext_if from <ftp-attacks> # Let us allow FTP with bruteforce protection pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 21 keep state (max-src-conn-rate 5/40, overload <ftp-attacks> flush global)
Above will block FTP connections more than 5 times in 40 seconds. Also append the following line to /etc/rc.shutdown to keep changes after the reboot:
# echo '/sbin/pfctl -t ftp-attacks -T show > /etc/pf.ftp.block.list' >> /etc/rc.shutdown
Finally, reload pf firewall:
# /etc/rc.d/pf reload
To list currently blocked IP (attackers IP), enter:
# pfctl -t ftp-attacks -T show