vsftpd banner

Printable View

17-09-2008, 08:01
thE_29

vsftpd banner

Well!
Since some months, a guy is annoying me. Or lets say, my vsftpd server!

He tries to login at my ftp server via bruteforce attack.
So i build a programm (c++) to ban such attempts!

It can be downloaded at ftp://ipkg:ipkg@the29.ath.cx/vsftpd_banner_thE29.ipk
(just ipkg install url)
It installs a binary file to /opt/bin called vsftpd_banner

When you start the program, it waits for NEW log lines at /opt/var/log/vsftpd.log (you can change this via parameter).
If the line contains FAIL LOGIN it parses out the IP + username. If the same IP was not able to login after 3 attempts, it bans the IP.
The auto release is after 10 minutes.
Most of these parameters you can change.
Just say vsftpd_banner --help to show the parameter.

I start the program this way: "vsftpd_banner -lf:/opt/var/log/ban_vsftpd.log &"
So the program logs to ban_vsftpd.log (all other things are default).

Here is my log from yesterday:

Quote:

Wed Sep 17 01:43:37 2008: Failed login attempt: Wed Sep 17 01:43:36 2008 [pid 6862] [Administrator] FAIL LOGIN: Client "87.241.52.130"
Wed Sep 17 01:43:37 2008: New Fail user registered: Administrator IP: 87.241.52.130
Wed Sep 17 01:43:40 2008: Failed login attempt: Wed Sep 17 01:43:39 2008 [pid 6862] [Administrator] FAIL LOGIN: Client "87.241.52.130"
Wed Sep 17 01:43:40 2008: Found user: Administrator with IP: 87.241.52.130 and error cnt 1 in list!
Wed Sep 17 01:43:40 2008: Raise user error count(2): 87.241.52.130[Administrator]
Wed Sep 17 01:43:42 2008: Failed login attempt: Wed Sep 17 01:43:41 2008 [pid 6862] [Administrator] FAIL LOGIN: Client "87.241.52.130"
Wed Sep 17 01:43:42 2008: Found user: Administrator with IP: 87.241.52.130 and error cnt 2 in list!
Wed Sep 17 01:43:42 2008: Raise user error count(3): 87.241.52.130[Administrator]
Wed Sep 17 01:43:42 2008: BAN this ass with IP: 87.241.52.130
Wed Sep 17 01:53:45 2008: UNBAN user (Administrator) with IP: 87.241.52.130

The ban is not just for ftp! It bans the complete traffic from this IP via iptables.
17-09-2008, 10:18
darius

Quote:

Originally Posted by thE_29

Well!
Since some months, a guy is annoying me. Or lets say, my vsftpd server!

He tries to login at my ftp server via bruteforce attack.
So i build a programm (c++) to ban such attempts!

It can be downloaded at ftp://ipkg:ipkg@the29.ath.cx/vsftpd_banner_thE29.ipk
(just ipkg install url)
It installs a binary file to /opt/bin called vsftpd_banner

When you start the program, it waits for NEW log lines at /opt/var/log/vsftpd.log (you can change this via parameter).
If the line contains FAIL LOGIN it parses out the IP + username. If the same IP was not able to login after 3 attempts, it bans the IP.
The auto release is after 10 minutes.
Most of these parameters you can change.
Just say vsftpd_banner --help to show the parameter.

I start the program this way: "vsftpd_banner -lf:/opt/var/log/ban_vsftpd.log &"
So the program logs to ban_vsftpd.log (all other things are default).

Here is my log from yesterday:

The ban is not just for ftp! It bans the complete traffic from this IP via iptables.

Good idea.
I prefer shell script to do that job as it can be modified any time
and code is open source.
Could you rewrite your program as a shell script ?

Darius
17-09-2008, 10:43
thE_29

Well, i had a shell Script but the problem is to get noticed when the logfile grows and which lines are new!

With version 1.1 i will release the source code too (be sure, there is no callback or virus in it ;)).
The version 1.1 will resets the error count when the users(IP) login is successfully!

Edit: Here is the source: http://code.google.com/p/vsftpd-banner/
17-09-2008, 13:21
darius

Quote:

Originally Posted by thE_29

Well, i had a shell Script but the problem is to get noticed when the logfile grows and which lines are new!

With version 1.1 i will release the source code too (be sure, there is no callback or virus in it ;)).
The version 1.1 will resets the error count when the users(IP) login is successfully!

Edit: Here is the source: http://code.google.com/p/vsftpd-banner/

It doesn't matter if you run a script at time / as cron job
or run a program
to learn logfile size or what lines are new.
With file size and file date you can discover any size increase.
Running monitor daemon with properly set refresh time
you can get what you need -
latest lines in logfile
and with grep
if the new lines are relevant in your case.

And you still have control over your friend, who has forgotton password.

Yahoo implemented many such automagically run scripts
and sending e-mail to yourself, sometimes get it delivered into
spam folder of your mailbox.

Darius
17-09-2008, 14:45
thE_29

Well, my program is just running ;) Not via daemon!

The main problem is, that you have to know which lines are new! So you have to count the old lines and compare it to the amount of the old lines.

In here is the problem! My log files are sometimes bigger then 100MB and every (my program refreshes every 2.5 seconds) 2.5s reading a complete file to get the amount of the lines, isnt very clever ;)

So i decided to write a program (at least my job is software designer, i knew what i was doing ;))
22-09-2008, 09:45
lordu

can you make a sort how-to also ?
22-09-2008, 12:35
thE_29

I will make one at the weekend, because i am travelling to den haag for some days!
Be back at weekend.
25-09-2008, 08:06
ecori

I tried to use your program, since I don't like other people to sniff around my files :), and I think it is a good idea to keep them from trying. When I check the log made by your application, it reports:

Wed Sep 24 17:25:01 2008: Startup: Wed Sep 24 17:25:01 2008

Wed Sep 24 17:25:01 2008: /opt/var/log/vsftpd.log 718026656
Wed Sep 24 17:25:01 2008: Could not open /opt/var/log/vsftpd.log!
Aborting...

Probably I made some stupid mistake. I think vsftpd_banner can open the log file, since it writes to it, however it is aborting....
Perhaps a note in the manual you are making could help me?
Thanks for your efforts and making them available to the board,
Ecori;)
30-09-2008, 07:54
thE_29

@ecori: Your log file size is ~684MB?
Maybe moving the old one and try a smaller one would avoid this problem!

But i wonder why it should be a problem... I will test it with such a file.

@lordu: I hope i have time today, to make a howto!
13-10-2008, 08:11
thE_29

As i have not much time the last days here are some news:

.) vsftpd_banner is not anymore

.) log_banner is a new project which has more features
-> can read /tmp/syslog.log
-> can watch for more programs in one log
-> can also read the vsftpd.log

The program is working. But parsing the conf file is a little problem. So i hope i have enough time this week, to finish it!
I also will give a HowTo for the log_banner.

Here is the source: http://code.google.com/p/log-banner/