how to stop FTP brute-force attacks with DenyHosts
We use DenyHosts on several servers to keep the annoying kids in the neighborhood from banging on the ssh door all day. This has been working fine for years. But getting it working for FTP or other authenticated services was thought to be impossible by some. It isn’t impossible – but it is a little tricky. Here is how it is done.
Based on a recent forum post, trial-and-error, and a few minor tweaks for optimization, the following two lines added to denyhosts.cfg did the trick:
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|proftpd.*:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=USER (?P<user>.*): no such user found from .*\[(::ffff:)?(?P<host>\S+)\]
By way of explanation, this re-defines the default SSHD_FORMAT_REGEX to make sure proftpd messages are checked for failures as well, using the second regexp.
This is based on my proftpd 1.3.0 install that shows messages in /var/log/secure like:
Aug 8 05:30:00 sitename proftpd[31963]: sitename.com (123.123.123.1[123.123.123.1]) - USER Administrator: no such user found from 333.333.222.111 [333.333.222.111] to 123.123.123.1:21
Just adjust to taste for other log messages as needed. Then enjoy much smaller logfiles and the smug satisfaction of disappointing thousands of bots.
PS Of course, we must point out that disabling vanilla FTP and forcing everyone to use sftp would be preferable. But that doesn’t always sit well with the customer, so there you go.
