Home > Bash, Networking, Programming, Security > Stop ftp brute force attacks using simple bash script

Stop ftp brute force attacks using simple bash script

In one of the servers I am managing I’ve noticed a lot of ftp login attempts recently (server is running ncftp). The pattern of login failures is pretty straightforward hence I’m using tail -f combined with grep to monitor /var/log/messages real-time and add the bad ips to /etc/hosts.deny as soon as attacks are detected. It’s also a good idea to lower the maximum number of failure thread-hold in Ncftpd. This script has been tested on OpenSuSE but it should run with none or little modification on other Linux systems. Here’s the code, don’t forget to change the admin’s email address.

#!/bin/bash
DEBUG=0
LOG=/var/log/messages

ACTION() {
    DENY=/etc/hosts.deny
    ADMIN=change_to_admin@email.address
    while read line; do
    grep -q $line $DENY
    if [ $? -ne 0 ]; then
        if [ $DEBUG == 1 ]; then
            echo "will append $line to $DENY"
        else
            echo "ALL:$line">>$DENY
            [ -n "$ADMIN" ] && echo $line | \
            mail -s "ftp attacks `hostname -f`:action taken" $ADMIN
        fi
    fi
    done
    #change ALL to NcFTPd to block FTP access
}

tail -f $LOG|while read line; do echo $line |grep "Too many login failures from"|\
 awk 'BEGIN{FS="[ ;]+"} {print $11}'|ACTION; done &
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: