I’ve been drinking beer and perhaps had one too many. Regardless of the reason, I felt the urge to further secure my favorite server. The target of my paranoia is once again the VSFTPd. I already have iptables and fail2ban running with various elaborate rules and filters. And this is already behind AWS and Check Point. In addition I wanted to place some restrictions via TCP wrappers.The first step is to add something like this to /etc/hosts.deny

The “spawn” action creates an entry in the /var/log/messages saying “<ip> denied access to vsftpd”

Then you add the allowed IPs to the /etc/hosts.allow.

Note: for CIDR notation mask use “/255.255.255.0” instead of “/24”. This is important.
The cool thing here is the “spawn” directive. You can have more than one and one of them can be an aggressive nmap scan, a ping flood or something even less tolerant of unwelcome visitors.

Bounce vsftpd and you should be good to go. So I went to the fridge and grabbed another beer and by the time I got back there were a couple dozen “access denied” entries in the log for the same IP from Chicago. This got me thinking that blocking that IP with iptables would probably be beneficial for the overall health of my server.

So the idea is simple: scan all current and rotated /var/log/messages*; extract unique IPs; identify the “heavy-hitters”; block them with iptables. Here’s a quick script to do this.

Note: the example below (also on GitHub) will show you the countries associated with the offending IPs. You will need to install the GeoIP package (current version is GeoIP-1.5.1-5.el6.x86_64).
Save the script as, say, /var/adm/bin/tcpwrapper_ip_block.sh; make it executable and add this root cron job:
When someone is blocked by the script, you should see an entry in the /var/log/messages along the lines of:
The idea here is that, if someone is persistently trying to break into your FTP server, they may also decide to explore other avenues of attack. Blocking them with iptables minimizes their options.

Leave A Reply

Please enter your comment!
Please enter your name here