Modify

Opened 10 years ago

Closed 6 years ago

#265 closed enhancement (duplicate)

FTP-Autoban for certain IP after failed attempts

Reported by: Decodecoding@… Owned by:
Priority: normal Milestone:
Component: fon-network Version: N/A
Severity: normal
Cc: Hardware: both

Description

My fonera's ftp server is suffering a brute foce attack. So far they're trying the wrong username (Administrator) but I would be nice to have that IP banned for some hours after 5 failed attemps such as ssh has.

Attachments (0)

Change History (4)

comment:1 Changed 9 years ago by matthijs

  • Milestone Requests deleted

Milestone Requests deleted

comment:2 Changed 9 years ago by JoepieNL

What happened to this extremely usefull request ?

Requests deleted ???

comment:3 Changed 9 years ago by matthijs

  • Component changed from fon-base-firmware to fon-network
  • Hardware set to both
  • Severity set to normal
  • Status changed from new to investigate
  • Type changed from request to enhancement
  • Version set to N/A

Request deleted means that I've deleted the milestone called "Request", which didn't really make sense. This tickets still needs review, just like a lot more. But while I'm here, I'll have a look :-)

It would make sense to add a restriction like this. However, the way the SSH limit works is to limit the number of connections, no the number of failed attempts. AFAIK, FTP is a pretty connection-heavy protocol: it might open up a new connection for every transfer and every directory listing. This means that limiting to 5 connections per minute (IIRC) is probably going affect normal usage. A higher limit might work better, but I'm afraid that a limit that's high enough for normal usage will be too high to actually block an attacker.

The best solution would be to make ftpd (and also sshd and perhaps samba) notify some central component about failed attempts, so an address can be blacklisted. Or perhaps we could use some log-reading utility, like fail2ban.

comment:4 Changed 6 years ago by matthijs

  • Resolution set to duplicate
  • Status changed from investigate to closed

Ticket #1168 requests the same thing for SSH, so I'll mark this ticket as a duplicate of that one.

Add Comment

Modify Ticket

Action
as closed The ticket will remain with no owner.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.