pure-ftpd isn't designed to work with TCP wrappers, which is unfortunate, because then I can't simply add an ip address to /etc/hosts.deny to block the hackers when they guess passwords.  But, since the hackers have tried to login to my servers thirty thousand times this month, and occasionally get good usernames, and theoretically might guess a right password eventually, I needed to figure out a solution.The solution is to use the external authentication method before checking the "real" authentication methods, and simply check the IP address.  The only down-side of this method is that instead of blocking the connection at the start, it blocks it at authentication time, which means there are more entries in the log files.  Another side-effect is that the hacker doesn't know he is being blocked by ip address, so he continues trying to login, rather than going on to the next unsuspecting server, so I suppose you can say I am doing the world some good by being a honeypot.

My external "authentication" script is the following:

#!/bin/sh

checkedIP=$(echo $AUTHD_REMOTE_IP | sed -ne "s~^\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)$~\1.\2.\3.\4~p")

if test "x$checkedIP" = "x"; then
   checkedIP="Unknown"
fi

if test "$checkedIP" = "Unknown"; then
  # unknown will be allowed for now.  Probably should output the ip to see when this happens
  echo 'auth_ok:0'
else
  # note, this is checking for all services, rather than just a particular one
  grep $checkedIP /etc/hosts.deny

  if [ "$?" = 0 ]; then
    echo 'auth_ok:-1'
  else
    echo 'auth_ok:0'
  fi
fi
echo 'end'

Then you need to start the authd: 

pure-authd -B -s /var/run/ftpd.sock -r /etc/pure-ftpd/denyhosts

Then make a file called /etc/pure-ftpd/conf/ExtAuth  (I use pure-ftpd-wrapper, since I am on Debian) with the following line:

/var/run/ftpd.sock 

And then make a symlink named /etc/pure-ftpd/auth/20extauth that points to /etc/pure-ftpd/conf/ExtAuth

That's it!  As you might guess based on the name of the script, I will eventually get this to work automatically with the denyhosts project, which is an excellent program for ssh, and I want to extend it to pure-ftpd as well; just need to get the regular expressions correct. 

Posted by Jon Daley on September 19, 2007, 4:04 pm | Read 44741 times
Category Programming: [first] [previous] [next] [newest]
Comments

For documentation purposes, my first attempts at the regular expressions were:
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|pure-ftpd:) (?P.*)

USERDEF_FAILED_ENTRY_REGEX=\(\?@(?P.*)\) \[WARNING\] Authentication failed for user \[(?P.*)\]

Posted by jondaley on September 19, 2007, 4:34 pm

Are you trying to server *really* big files? Why not scp or sftp?

Posted by mdrew on September 22, 2007, 11:14 am

I think the bigger problem here is that there is apparently a way for hackers to guess something and determine from your server's behavior useful information like 'valid username'. I don't understand why it fails differently depending on whether a correct username is entered (assuming a bad password).

P.S. send me an email so I can contact you.

Posted by mdrew on September 22, 2007, 11:33 am

I have to do regular FTP, because it is harder for most people to figure out how to do scp or sftp. I never use ftp myself, but most of my customers do. I suppose that Microsoft may have done the security world a favor by breaking FTP in the latest version of Internet Explorer - people will get used to using other clients, and then sftp or scp are about the same, from the non-technical user's viewpoint.

The return value for them is the same whether they get a wrong password or wrong username. The trouble is that hackers have basically unlimited resources (by hacking into unprotected machines all over the world (probably mostly in the US) and then using those hacked machines as a large network of coordinated attack machines).

When I said they occasionally get good usernames, that means out of all of their random guessing (and sometimes not so random - like "salemsattic", or "limedaley", etc.) sometimes they get real usernames, and then I have to count on the strength of my customers' passwords. If the hacker has a wrong username, I don't really care how many times he tries to login, as long as the CPU load stays low.

Denyhosts is great because it only allows so many attempts before blocking the IP. I no longer have to even think about ssh hack attempts, because the hacker has about 15-30 seconds at most to guess a username and valid password. If he guesses wrong usernames (or worse, privileged usernames (that wouldn't have ssh access anyway, so it is kind of silly to guess those), he only has one attempt before his ip is blocked forever (and broadcast to a blacklist, so he will be blocked before he even tries anything on other people's machines).

I'll try sending you an email, but I thought you didn't accept non-secured email, and I am not sure if I have the floppy with your key on it... :)

Posted by Jon Daley on September 22, 2007, 1:13 pm
Add Comment
Add comment
E-mail me when comments occur on this article

culpable-adaptable