安裝 vsftpd FTP Server
# apt-get install vsftpd
進行設定,vsftpd FTP Server 的設定檔在 /etc/vsftpd.conf
取消匿名者登入
# sed -i ‘s/anonymous_enable=YES/#anonymous_enable=YES/’ /etc/vsftpd.conf
讓系統中的使用者可以登入
# sed -i ‘s/#local_enable=YES/local_enable=YES/’ /etc/vsftpd.conf
可以寫入
# sed -i ‘s/#write_enable=YES/write_enable=YES/’ /etc/vsftpd.conf[@more@]
系統記錄檔
# sed -i ‘s|#xferlog_file=/var/log/vsftpd.log|xferlog_file=/var/log/vsftpd.log|’ /etc/vsftpd.conf
vsftpd FTP Server 登入時顯示的 Banner
# sed -i ‘s/#ftpd_banner=Welcome to blah FTP service./ftpd_banner=Welcome to Banana Pi FTP service./’ /etc/vsftpd.conf
chroot 系統的使用者
# sed -i ‘120s/#chroot_local_user=YES/chroot_local_user=YES/’ /etc/vsftpd.conf
啟用 chroot 的功能
# sed -i ‘s/#chroot_list_enable=YES/chroot_list_enable=YES/’ /etc/vsftpd.conf
建立 /etc/vsftpd.chroot_list 設定檔
# touch /etc/vsftpd.chroot_list
讓 root 可以登入
# sed -i ‘s/root/#root/’ /etc/ftpusers
啟動 vsftpd FTP Server
# /etc/init.d/vsftpd start
在防火牆中開啟 vsftpd FTP Server
iptables -A INPUT -i eth0 -p tcp –dport 21 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp –dport 21 -j ACCEPT
設定 fail2ban 的 ftp 阻擋功能
# vim /etc/fail2ban/jail.conf
[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd’s failregex should match both of those formats
maxretry = 3
bantime = 86400
重新啟動 fail2ban
# /etc/init.d/fail2ban restart
目前已經有二個阻擋的規則 ssh, vsftpd
# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: vsftpd, ssh
可以在 vsftpd 列出有偵測到的連線攻擊
# fail2ban-client status vsftpd
Status for the jail: vsftpd
|- filter
| |- File list: /var/log/vsftpd.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
在防火牆規則上的規則
# iptables -t filter -L fail2ban-vsftpd -n
Chain fail2ban-vsftpd (1 references)
target prot opt source destination
RETURN all — 0.0.0.0/0 0.0.0.0/0