Access denied mofo!
Last night I was leisurely browsing through my logfiles and found out that my FTP log was unusually big (I only use FTP to allow Blogger.com access and for some people to download stuff). I also saw at the date of my current ftp.log that it was updated less then 2 seconds ago. When I used ftpwho I saw that some bozo was trying to get into the server using some dictionary. Really annoying! A quick check of my SSH logfile also revealed several break in attempts:
Apr 1 14:40:58 zion sshd[21357]: Invalid user anonymous from 201.234.180.34
Apr 1 14:40:58 zion sshd[21357]: reverse mapping checking getaddrinfo for c2012
34180-34.impsat.com.co failed - POSSIBLE BREAKIN ATTEMPT!
Apr 1 14:40:58 zion sshd[21357]: (pam_unix) check pass; user unknown
Apr 1 14:40:58 zion sshd[21357]: (pam_unix) authentication failure; logname= ui
d=0 euid=0 tty=ssh ruser= rhost=201.234.180.34
Apr 1 14:41:00 zion sshd[21357]: Failed password for invalid user anonymous fro
m 201.234.180.34 port 53724 ssh2
Apr 1 14:41:05 zion sshd[21360]: Invalid user passwd from 201.234.180.34
Apr 1 14:41:06 zion sshd[21360]: reverse mapping checking getaddrinfo for c2012
34180-34.impsat.com.co failed - POSSIBLE BREAKIN ATTEMPT!
Given that ProFTPD and SSH do not have any IP-blocking capabilities (that is: locking out an IP-address after too many attempts) I had to look for a tool that does this for me. I say it once again: Google is your friend, and about 2 minutes later I had found a good tool that just kicks and bans every bozo that tries to hack his way into my FTP or SSH-server: Fail2ban.
This tool, that users of Debian based systems can use out-of-the-box simply by using "apt-get install fail2ban", scans your logfiles like /var/log/pwdfail or /var/log/apache/error_log and bans IP's that have too many password failures. It updates firewall rules automatically to reject the IP address.
I tested it and it works very well. So as of yesterday all bozo's that try to gain access to my server, will wind up in one big IP blacklist.
