vsftpd is the “very secure file transfer protocol daemon” and a great product to use for file transfers. Unfortunately, a bunch of script kiddies and zombies runs scripts guessing the 2283 most common user name and password combinations. Sometimes, I’ll see several of these runs of login attempts in a single day, peaking one day at over 13 thousand bogus login attempts. I resent the amount of time, resources, bandwidth and power my server has to spend rejecting these attempts.
Last year, I blogged about the script Brute Force Detection that works with many servers and reads the logs to ban repeated failed login attempts. Unfortunately, it did not have the settings to read vsftpd generated logs, and there were not any directions simple enough for me to understand to set one up. A year passes, I read more, learn more, expecially the great Man Page of the Month sessions at MonadLUG, and I find a couple of hours to hack at this, motivated by yet another log report filled with vsftpd login attempts. Here’s what I did:
BFD uses rules files that are portions of scripts customized for the particular log to read, the messages to look for, and the locations at which the IP addresses of the offending attacker can be found. When each rule file in turn is read into the main BFD script, it becomes part of a set of commands that slices and dices the log, finds the (adjustable) number of excessive attempts, and issues the commands to ban attempts from that IP address. The trick is figuring out what commands you need to implement to return the stream of IP addresses in the correct format. Here’s an example, the sshd rule file:
REQ="/usr/sbin/proftpd"
if [ -f "$REQ" ]; then
LP="/var/log/secure"
TLOG_TF="proftpd"
TRIG="15"
## PROFTP
ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w proftpd | grep -iwf $PATTERN_FILE | tr '[]' ' ' | tr -d '()' | awk '{print$10" "$13}' | tr -d ':' | awk '{print$1":"$2}' | grep -E '[0-9]+'`
fi
Boy, is that inscrutable! Here’s a quick tour: REQ is the required file (the binary that runs proftpd) so the script only runs if there is such a file (“fi” is the shell script equivalent of “if” – cute!). The other variables are used to feed the main processing line, starting with ARG_VAL. This line processes the log (named LP) through a series of pipes that filters the result down to the items that need to be processed. Grep processes lines through Globally searching, using Regular Expressions and Prints them through to the next command in the pipe. TR translates characters from one set to another, or -Deletes them. Awk is a simple text processing language, really handing for tricks like printing the tenth and thirteenth words out of a line.
Here’s the trick to working this out: take a log file you know has your suspect violations, use cat to feed it into the beginning of the pipe described above, and add item-by-item to the pipe to figure out what each does and what the final result looks like, in this case a text file IP Addresses and login names, something like:
192.168.1.1:fred
192.168.1.1:fred
192.168.1.1:fred
192.168.1.1:fred
192.168.1.1:barney
192.168.1.1:charlie
192.168.1.1:dave
192.168.1.1:eric
This is what BFD gets fed bac k to it. Then, it counts the number of attempts, compares that against the TRIG value set above, and if it exceeds the trigger level, executes the command (set in BFD’s configuration file, conf.bfd) to ban the offending attacker. (It also optionally sends an email to the admin, a good idea to ensure you’ve got things set up properly.)
Now, your installation of vsftpd may be a little different from mine, your logs may have different names and columns in different orders, so use this script only after testing out that it works properly with your configuration. Best of luck with it. Here’s my implementation of a script to detect vsftpd script kiddie attacks:
REQ="/usr/sbin/vsftpd"
if [ -f "$REQ" ]; then
LP="/var/log/messages"
TLOG_TF="vsftpd"
TRIG="15"
## VSFTPD
ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w vsftpd | grep -i rhost | grep -iwf $PATTERN_FILE | awk '{print $13":"$12}'| tr -d '[]()?@'| cut -d = -f 2,4 | grep -E '[0-9]+'`
fi
The cut command is a new one here: like the use of awk it lets you pick particular columns to slice out of the line, but also gives you the option to specify the delimiter that sets off the columns. In this case, I use cut to pick off the second half of two columns that are formatted as “rhost=192.168.1.1” and “ruser=badguy@badplace.com” to pick off the second values from each of those columns.