Forum Discussion

Jose_Santiago_O's avatar
Jose_Santiago_O
Icon for Nimbostratus rankNimbostratus
May 15, 2008

Prevent ftp brute force attack using irules.

Hi,

 

 

Does anyone know how to prevent ftp brute force attacks using irules? I have an ftp server and everyday i see a lot of connections comming from different countries trying to get access to my ftp server using dictionaries. My ftp is not anonymous,by the way, and i have to block certain ips after a large number of attempts.

 

 

With HTTP is easy, if you hit my virtual server and you are not going to www.mysite.com I reject the connection, but is that possible with ftp? i.e., if you try to connect to my virtual server and not going to ftp.mysite.com reject the connection.

 

 

I hope someone could bring some ideas.

 

 

Thanks.

 

Jose Santiago Oyervides.

 

 

application delivery
dev
devops
iRules
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    May 15, 2008
    There are a few different approaches you could try, but the one you outlined above is probably the simplest. Since there is no host header readily available via TMM's inpsection engine, when dealing with an FTP connection, you'll need to use the TCP::collect and TCP::payload commands to collect and inspect the payload data, but you should be able to accomplish basically the same thing as you would with HTTP connections.

     

     

    When the connection comes in, collect some data, inspect it to find out what host name the request is intended for. If it doesn't match one of your domains, toss it.

     

     

    If you need some help getting started, let us know.

     

     

    Colin
  • Jose_Santiago_O's avatar
    Jose_Santiago_O
    Icon for Nimbostratus rankNimbostratus
    May 20, 2008
    Hi,

    I have configured this rule so far, but I think I am missing something here, because I am not collecting the initial connection (ftp 1.1.1.1 or ftp.mycompany.com), I am logging the payload and the initial connection is not being logged, the only I am collecting is USER domain\user, and since this doesn't match "mycompany" the connection is rejected. Do you have any ideas? 

     
 when CLIENT_ACCEPTED {   
 TCP::collect   
 TCP::release 
 } 
  
 when CLIENT_DATA { 
  
 log local0. "payload: [TCP::payload]"  
 set client_data [string tolower [string trim [TCP::payload]]] 
  
 if { $client_data contains "mycompany" } { 
 pool pool_ftp 
 } else { 
 log local0. "Rejected"  
 reject 
 } 
 TCP::release   
 }}