Snort: Block FTP Brute Force

TL;DR

This guide shows you how to use Snort to detect and block brute force attacks targeting your FTP server. We’ll create a custom rule that looks for failed login attempts and automatically blocks the attacking IP address.

Prerequisites

• Snort installed and configured (basic understanding required).
• Access to Snort configuration files (usually in /etc/snort or similar).
• Basic Linux command line knowledge.

Step-by-Step Guide

1. Understand the Attack Pattern

   FTP brute force attacks typically involve numerous failed login attempts from a single IP address. We’ll focus on detecting these repeated failures.

2. Create a Custom Rule File

   We’ll create a new rule file to store our FTP brute-force detection rule. This keeps your main Snort ruleset tidy.

   sudo nano /etc/snort/rules/ftp_brute_force.rules

3. Write the Snort Rule

   Add the following rule to ftp_brute_force.rules. This rule looks for FTP login failures (status code 530) and logs/blocks the source IP.

   alert ftp any any -> $HOME_NET any (msg:"FTP Brute Force Attempt"; flow:established,to_server; content:"530 Authentication failed"; nocase; threshold: type limit, track by_src, count 5, seconds 60; sid:1000001; rev:1;)

   • alert ftp any any -> $HOME_NET any: This defines the rule to alert on FTP traffic going towards your network.
   • msg:"FTP Brute Force Attempt";: This is the message that will be logged when a match is found.
   • flow:established,to_server;: Only check established connections going to the server.
   • content:"530 Authentication failed"; nocase;: Looks for the FTP error message indicating authentication failure (case-insensitive).
   • threshold: type limit, track by_src, count 5, seconds 60;: This is crucial. It triggers the alert only if there are 5 or more failed login attempts from the same source IP within 60 seconds. This prevents false positives from legitimate users mistyping passwords.
   • sid:1000001; rev:1;: Unique rule identifier and revision number. Choose a unique SID (above 1000000 is generally safe).
4. Configure Snort to Load the Rule File

   Edit your main Snort configuration file (snort.conf) and include the new rule file.

   sudo nano /etc/snort/snort.conf

   Add this line to the end of the file, before any other includes:

   include $RULE_PATH/ftp_brute_force.rules

5. Test the Rule

   Restart Snort to load the new rule.

   sudo systemctl restart snort

   Simulate a brute force attack against your FTP server (use a test account!). Monitor the Snort alerts log file (usually /var/log/snort/alert) to verify that the rule is triggering.

6. Block Attacking IPs

   The alert alone isn’t enough. We need to block the attacking IP addresses. There are several ways to do this:

   • Using a Firewall (iptables/firewalld): The most common method is to use your firewall to drop packets from the offending IPs. You can write a script that parses the Snort alert log and automatically adds iptables rules to block them.
   • Using a Script with Snort’s Output Plugin: Configure Snort to output alerts to a custom script that handles blocking. This requires more advanced scripting knowledge.

   Example iptables command (replace 192.168.1.100 with the attacker’s IP):

   sudo iptables -A INPUT -s 192.168.1.100 -j DROP

7. Automate Blocking (Optional)

   Write a script to automatically parse the Snort alert log, extract attacking IPs, and add them to your firewall’s block list. Consider using tools like awk or grep for parsing.

Important Considerations

• False Positives: Adjust the threshold values carefully to minimize false positives.
• Network Topology: Ensure your Snort sensor is positioned correctly in your network to capture all FTP traffic.
• Regular Updates: Keep your Snort rules updated to protect against new attack techniques.