I noticed that my FTP server was getting hit up with huge streams of access attempts, which just won’t do. Thankfully, it’s really easy to block these access attempts using the awesome fail2ban script.
- First, install fail2ban either manually or if it’s in your repos use:
apt-get install fail2ban
- Next, go to the relevant section of the file /etc/fail2ban/jail.conf for your FTP server (mine is proftpd) and enable jailing by flipping the enabled flag to true:
[proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 5 bantime = 3600
- Restart fail2ban with a swift:
Set your retries and bantime as you see fit, and make sure the log file path is correct (i.e. that it’s actually the log you want to monitor!)
If your FTP server is controlled via inted/xinetd you don’t need to restart the FTP server as it’s started when required. If your FTP server is standalone then it probably won’t hurt to restart the service manually through /etc/init.d/[your-ftp-server-management-script-here]
That should be pretty much it, if there’s still access attempts going on they’ll be banned from connecting for the bantime you defined, and you’ll be able to see ban details in /var/log/fail2ban.log.