Menu
▾
▴
Re: [Proftpd-user] ProFTPD 1.3.7a : Various BanOnEvent ClientConnectRate rules in server config section
|
From: De G. P. <PF-...@he...> - 2021-06-21 19:48:42
|
TJ, Thanks for your quick reply. Sorry, I did not clearly described the situation. I try again.... Up till now, I have create Client-IP Classes to be able to enable banning client for connecting too frequently with the Ban-rule ClientConnectRates for some Client-IP's and to turn banning completely off for the other Client-IP's. But now I would like to turn on banning for ALL Client-IP's , but differentiate in the limit of the ClientConnectRate for specific Client-IP's. So for Client-IP's that should connect frequently, I set the max. ClientConnectRate to 10 per minute. For more frequently connecting clients, I set the max. ClientConnectRate to 20 per minute. And for the rest of the Clients, I frequently, I set the max. ClientConnectRate to 5 per minute. I create the next configuration in de Server Config: <IfModule mod_dso.c> LoadModule mod_sql.c LoadModule mod_sql_sqlite.c LoadModule mod_sftp.c LoadModule mod_auth_otp.c LoadModule mod_ctrls_admin.c LoadModule mod_quotatab.c LoadModule mod_quotatab_file.c LoadModule mod_ban.c #ProFTPD v1.3.7rc4v7 compiled with DSO-module mod_ifsession LoadModule mod_ifsession.c </IfModule mod_dso.c> ....... <Class freq_conns> From 1.2.3.4 # A test server 1 </Class> <Class morefreq_conns> From 5.6.7.8 # a Test server 2 </Class> <IfModule mod_ban.c> BanEngine on BanLog /export/org/proftpd/log/proftpd_ban.log BanTable /export/org/proftpd/etc/proftpd_ban.tab # Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user root,hpprgaaj,proftpd # If the same client reaches the MaxLoginAttempts limit 10 times # within 1 minutes, automatically add a ban for that client that # will expire after two hours. # BanOnEvent MaxLoginAttempts 2/00:05:00 01:00:00 "You are banned out for 1 hour" BanOnEvent RootLogin 1/00:01:00 02:00:00 "Stop connecting with root" BanOnEvent mod_auth.root-login 1/00:01:00 02:00:00 "Stop connecting with root" # Define that a banned client host in one VirtualHost is also banned in the other VirtualHost. BanOptions MatchAnyServer <IfClass freq_conns> # Set a specific ClientConnectRate for Client IP-classes that normally connect frequently # or that are unknown users/client-IP's. BanOnEvent ClientConnectRate 10/00:01:00 02:00:00 "Stop connecting frequently" </IfClass> <IfClass morefreq_conns> # Set a specific ClientConnectRate for Client IP-classes that normally connect very frequently BanOnEvent ClientConnectRate 20/00:01:00 02:00:00 "Stop connecting frequently" </IfClass> <IfClass !freq_conns AND !morefreq_conns> # Set a specific ClientConnectRate for all other Client IP's BanOnEvent ClientConnectRate 5/00:01:00 02:00:00 "Stop connecting frequently" </IfClass> </IfModule> However, this configuration does not work as expected: 1) It looks like that only the first occurence of the ClientConnectRate in the configuration is set, regardless of the Class for which it is meant. So, there was set a ban for the Client of Class "morefreq_conns" because of more than 10 connections/min. although in the config I specified a ClientConnectRate limit of 20/min. The Client of Class "freq_conns" will be banned at the ClientConnectRate of 10/min which is right. However, for the Class "morefreq_conns", I specified a limit of ClientConnectRate of 20/min - not 10/min. And so for the Class "freq_conns", the same limit was set : 10/min. You can see that as well with ftpdctl -s $CTRL_SOCK ban info -v -e ftpdctl: Banned Hosts: ftpdctl: 5.6.7.8 ftpdctl: Reason: ClientConnectRate autoban at Mon Jun 21 21:10:28 2021 ftpdctl: Expires: Mon Jun 21 23:10:28 2021 (in 7128 seconds) ftpdctl: <VirtualHost>: ProFTPD RHEL Test Dropserver-SFTP (<dropserver-IP>#22) ftpdctl: ftpdctl: Ban Events: ftpdctl: Event: ClientConnectRate ftpdctl: Source: 1.2.3.4 ftpdctl: Occurrences: 8/*10* ftpdctl: Entry Expires: 21 seconds ftpdctl: <VirtualHost>: ProFTPD RHEL Test Dropserver-SFTP (10.52.129.70#22) Didn't I configure ProFTPD not right ? Why is only the first Class for all Clients matched ? 2) In which ProFTPD log can I find the Class that ProFTPD daemon has defined for a connected client ? 3) Strange is that while the SFTP-connections are banned, the clients can connect with FTP to the same dropserver IP without problems. However, I specified "BanOptions MatchAnyServer". What do I do wrong ? All comments and recommendations are appreciated. Thanks in advance, With regards, Pieter de Gaaij On 19 Jun 2021 03:45, TJ Saunders wrote: >> Question: could it be made possible to configure different BanOnEvent >> ClientConnectRate rules for different Classes ? >> >> Lets say: >> >> <Class manyconnects> >> From xxx.yyyy.zzzz.cccc >> </Class> >> >> <Class lessconnects> >> From xxx.yyyy.zzzz.cccc >> </Class> > This should work -- assuming your different classes use different IP ranges, so that a given client only matches one of the defined classes. Your example above uses the same IP ranges/DNS names, so it's hard to tell if that is what you are actually using. > > When a client connect, you should see the matching class found for it, if any, in the ProFTPD logs. > >> I think, now only the first rule is configured. > What behavior are you observing, to indicate that perhaps only the first class is being matched, perhaps unexpectedly? > > Cheers, > TJ > > > _______________________________________________ > ProFTPD Users List <pro...@pr...> > Unsubscribe problems? > http://www.proftpd.org/list-unsub.html |
