Brute Forcing & Protecting an FTP Server
What is a Brute-force attack?
A Brute-force attack is a simple form of an attack where the attacker tries multiple login and password combinations in the hope of finding the right one. Generally an attacker uses a combination of common usernames and passwords in a Brute-force attack but in some cases, the attackers perform reconnaissance against the target and find out keywords and combinations that might be used in their passwords. For example, an employee of an organization might be using their last name and birth-year as their password.
Attacking an FTP Server
Very Secure FTP Daemon (vsftpd) is an FTP server for Linux systems. It is the default FTP server choice for multiple distributions such as Red Hat Enterprise Linux (RHEL), Ubuntu, Fedora and CentOS. The default installation of vsftpd does not come with any protection against multiple login attempts, which means that an attacker can try unlimited username and password combinations.
Step 1: Creating a list of common usernames and passwords.
Attackers use a list of commonly used usernames and passwords. Here I have created two .txt files, one with common usernames and another with common passwords. For example, a password list known as Rockyou is regarded as one of the best password lists available over the internet.
Step 2: Brute-forcing the vsftpd server with the created lists.
Now that the list is created, I will now use a Brute-forcing tool like Hydra to attack the vsftpd server till we find the correct username and password combination. This will be achieved using the following command:
hydra -L usernames.txt -P passwords.txt ftp://192.168.0.98
The output will look like the following, you can see that the Brute-force was a success and we have successfully found one valid username and password combination. In this case, the correct username is python and the password is redhat.
Protecting the vsftpd server
Since the vsftpd server does not come with any Brute-force protection, it provides the attacker the advantage of trying unlimited combinations till the right one is achieved. Solution? Introduce an Intrusion Prevention System (IPS) into the environment.
So, what is an IPS?
An IPS is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. It sits directly between the source and the destination where it actively analyzes the flowing traffic and takes automated actions as per the directives set by the user. In this case, the IPS is going to monitor all the traffic reaching the vsftpd service and will block any IP address which provides incorrect credentials thrice while logging in.
The IPS we will be using is fail2ban, it is a common IPS used to protect SSH & vsftpd against Brute-force attacks.
Step 1: Install the fail2ban package and start the service.
sudo yum install fail2ban -y
sudo systemctl start fail2ban
Step 2: Configure fail2ban to prevent vsftpd login attempts
Now I am going to create a file called jail.local inside the /etc/fail2ban directory. This file will contain the configuration that will tell fail2ban the port to monitor, ban-time duration of an IP address and the log path.
Here the name of the jail is vsftpd, any IP address which makes incorrect login attempts more than 3 times which is our maxretry will go in the jail vsftpd for 86400 seconds or 24 hours. The port to monitor is for the service ftp. The jail is enabled and it is getting the ftp network data from /var/log/vsftpd.log. Furthermore, you can choose the value of -1 in the bantime parameter for a permanent ban.
The next step will be to restart the fail2ban service for the changes to take effect.
sudo systemctl restart fail2ban
Once the above configuration is done, any future Brute-force attempts by the attacker will result in the connection being refused. The attacker will see the following output if they run the Brute-force again.
As we can see above, the attacker is no longer able to use Brute-force to find out the credentials of the vsftpd server.
Conclusion
Any password hacking attempt is successful only because of predictable password combinations. Firewalls and IPS are great when increasing the protection of your assets over the network but do not forget practices such as training employees against social engineering, using multi-factor authentication, monthly password changes and random password audits across systems to ensure weak passwords are not in use.
