修改 vsFTPd FTP Server 設定
# vim /etc/vsftpd/vsftpd.conf
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING – changing this filename affects /etc/logrotate.d/vsftpd.log
xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
#xferlog_std_format=YES
重新啟動 vsFTPd FTP Server
# service vsftpd restart
[@more@]修改 fail2ban 設定
# vim /etc/fail2ban/jail.conf
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
# sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 3
bantime = 86400
重新啟動 fail2ban
# service fail2ban restart
目前已經有二個阻擋的規則 ssh-iptables, vsftpd-iptables
# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: ssh-iptables, vsftpd-iptables
以 Client IP 192.168.1.1 連線 Server IP 192.168.1.9 做錯誤連線
可以在 vsftpd-iptables 列出有偵測到的連線攻擊
# fail2ban-client status vsftpd-iptables
Status for the jail: vsftpd-iptables
|- filter
| |- File list: /var/log/vsftpd.log
| |- Currently failed: 0
| `- Total failed: 5
`- action
|- Currently banned: 1
| `- IP list: 192.168.1.1
`- Total banned: 1
在防火牆規則上的規則
# iptables -t filter -L fail2ban-VSFTPD -n
Chain fail2ban-VSFTPD (1 references)
target prot opt source destination
DROP all — 192.168.1.1 0.0.0.0/0
RETURN all — 0.0.0.0/0 0.0.0.0/0