FTP-Autoban for certain IP after failed attempts

[Decodecoding@…]

My fonera's ftp server is suffering a brute foce attack. So far they're trying the wrong username (Administrator) but I would be nice to have that IP banned for some hours after 5 failed attemps such as ssh has.

[matthijs]

Milestone Requests deleted

[JoepieNL]

What happened to this extremely usefull request ?

Requests deleted ???

[matthijs]

Request deleted means that I've deleted the milestone called "Request", which didn't really make sense. This tickets still needs review, just like a lot more. But while I'm here, I'll have a look :-)

It would make sense to add a restriction like this. However, the way the SSH limit works is to limit the number of connections, no the number of failed attempts. AFAIK, FTP is a pretty connection-heavy protocol: it might open up a new connection for every transfer and every directory listing. This means that limiting to 5 connections per minute (IIRC) is probably going affect normal usage. A higher limit might work better, but I'm afraid that a limit that's high enough for normal usage will be too high to actually block an attacker.

The best solution would be to make ftpd (and also sshd and perhaps samba) notify some central component about failed attempts, so an address can be blacklisted. Or perhaps we could use some log-reading utility, like fail2ban.