Comments on: BSD PF Firewall Block FTP Bruteforce Attacks

By: Marc

Marc — Sun, 30 Oct 2011 01:01:15 +0000

SSHGuard has an interesting comparison of the two approaches for reducing brute force attacks: with plain firewall, or at the application level.

By: SIFE

SIFE — Wed, 18 Nov 2009 22:58:15 +0000

Salamo Alikom
i have defined a table depend in file ,containt some ip’s to block like so :
table const file "/etc/pf/banned"

block in log (all) on $net_card from proto tcp from to any port $ports
but this does not work ,why ?

By: Shane

Shane — Thu, 13 Aug 2009 12:01:36 +0000

Hi Vivek,

Thanks for this. I will see if I can configure our FTP daemon to drop session after failed login.

Unfortunately we don’t have the luxury of dropping password logins, since we provide last minute adhoc access to clients (who are king in my line of work).

By: Vivek Gite

Vivek Gite — Thu, 13 Aug 2009 10:49:49 +0000

@Shane,

You can configure FTP to drop connection after each failed attempt.

Another, option is configure keys to login and drop password based login. Or just allow access to vpn authenticated session. Same goes to firewall port and only allow access from limited set of WAN and LAN IPs. However, this will create problem if someone is working from home or using dialup access.

Finally, strong password is required along with password aging. It all depends upon how much time and money you are willing to put…

By: Shane

Shane — Thu, 13 Aug 2009 09:36:23 +0000

Will this stop all the FTP brute forcers?

I see login attempts in the 10′s of thousands on our FTP servers, yet when I look at the number of states created from the attacker IP’s to our FTP servers, the total is often 1 per attacker/server.

It seems that they open one TCP connection and then keep trying usernames and passwords through that one connection.