BSD PF Firewall Block FTP Bruteforce Attacks

I see lots of failed FTP login attempts in my log file. How do I stop FTP bruteforce attack? What should I do to solve this problem under FreeBSD 7.x server operating systems?

You can easily stop bruteforce attacks by limiting connections per IP using pf firewall under FreeBSD or OpenBSD.

Open /etc/pf.conf
# vi /etc/pf.conf

Update it as follows:

# the lists of known FTPD attackers
table <ftp-attacks> persist file "/etc/pf.ftp.block.list"
 
# block all incoming connections from attackers on FTPD
block in quick on $ext_if from <ftp-attacks>
 
# Let us allow FTP with bruteforce protection
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 21 keep state (max-src-conn-rate 5/40, overload <ftp-attacks> flush global)

# the lists of known FTPD attackers
table <ftp-attacks> persist file "/etc/pf.ftp.block.list" # block all incoming connections from attackers on FTPD
block in quick on $ext_if from <ftp-attacks> # Let us allow FTP with bruteforce protection
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 21 keep state (max-src-conn-rate 5/40, overload <ftp-attacks> flush global)

Above will block FTP connections more than 5 times in 40 seconds. Also append the following line to /etc/rc.shutdown to keep changes after the reboot:
# echo '/sbin/pfctl -t ftp-attacks -T show > /etc/pf.ftp.block.list' >> /etc/rc.shutdown
Finally, reload pf firewall:
# /etc/rc.d/pf reload
To list currently blocked IP (attackers IP), enter:
# pfctl -t ftp-attacks -T show

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.