mod_ban
The mod_ban module is designed to add dynamic "ban"
lists to proftpd.  A ban prevents the banned user, host, or
class from logging in to the server; it does not prevent the banned
user, host, or class from connecting to the server.
mod_ban is not a firewall. The module also provides
automatic bans that are triggered based on configurable criteria.
This module is contained in the mod_ban.c file for
ProFTPD 1.2.x/1.3.x, and is not compiled by default.
nstallation instructions are discussed here.
Detailed documentation on mod_ban usage can be found
here.
The most current version of mod_ban is distributed with the
proftpd source.
Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.
The BanControlsACLs directive configures access lists of
users or groups who are allowed (or denied) the ability to
use the actions implemented by mod_ban. The default
behavior is to deny everyone unless an ACL allowing access has been explicitly
configured.
If "allow" is used, then list, a comma-delimited list
of users or groups, can use the given actions; all
others are denied.  If "deny" is used, then the list of
users or groups cannot use actions all others are
allowed.  Multiple BanControlsACLs directives may be used to
configure ACLs for different control actions, and for both users and groups.
The actions provided by mod_ban are "ban"
and "permit".
Examples:
# Allow only user root to ban and permit users BanControlsACLs all allow user root
The BanEngine directive enables or disables the banning of
sessions by mod_ban.  If it is set to off this module
does no banning. Use this directive to disable the module instead of
commenting out all mod_ban directives.
The BanLog directive is used to a specify a log file for
mod_ban reporting and debugging. The path parameter
must be the full path to the file to use for logging.  Note that this path must
not be to a world-writeable directory and, unless
AllowLogSymlinks is explicitly set to on
(generally a bad idea), the path must not be a symbolic link.
If path is "none", no logging will be done at all.
The BanMessage directive configures a message that will be
sent to clients that have been banned.  This message may contain the
following variables:
%a: client IP address
  %c: client class (if none, will be empty)
  %u: USER name (if none, will be empty)
Example:
BanMessage "Host %a has been banned"
The BanOnEvent directive is used to configure a "rule"
that is triggered whenever the named event occurs.  The currently
supported events are:
AnonRejectPasswords ClientConnectRate MaxClientsPerClass MaxClientsPerHost MaxClientsPerUser MaxConnectionsPerHost MaxHostsPerUser TimeoutIdle TimeoutNoTransferAn event is generated whenever one of these limits is reached by a client.
The freq parameter should be formatted as:
N/hh:mm:sswhere N is the number of occurrences, and
hh:mm:ss
specifies a number of hours, minutes, and seconds.  This parameter says
that if N occurrences of event happen within the given
time interval, then a ban is automatically added.  The IP address of
the connecting client is banned when the following event rules are
triggered: AnonRejectPasswords, MaxClientsPerHost,
MaxConnectionsPerHost, MaxLoginAttempts,
TimeoutIdle, and TimeoutNoTransfer.  The class of
the connected client, if any, is banned when a rule for
MaxClientsPerClass is triggered.  Rules for
MaxClientsPerUser and MaxHostsPerUser will cause
the connected username to be banned.
The duration should be formatted as:
hh:mm:ssand specifies the numbers of hours, minutes, and seconds that the an automatic ban generated a
BanOnEvent rule lasts.  Unlike
bans added via the ban ftpdctl control
action, automatic bans do not have infinite lifetimes.
An optional message, to be displayed to banned clients, can be configured.
If no such optional message is configured using the BanOnEvent
directive, then any BanMessage message will be displayed.
For example:
# Configure a rule to automatically ban scripts looking for anonymous # servers to which they can upload BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99 # Ban clients which connect too frequently. This rule bans clients # which connect more than 5 times within one minute. Include a special # message just for them. BanOnEvent ClientConnectRate 5/00:01:00 04:00:00 "Stop connecting frequently"
See also: BanMessage
The BanTable directive configures a path to a file
that mod_ban uses for handling its ban data.  The given
path must be an absolute path.  Note: this directive is
required for mod_ban to function.  It is recommended
that this file not be on an NFS mounted partition.
Note that ban data is not kept across daemon stop/starts.  That is,
once proftpd is shutdown, all current ban data is lost.
ban
The ban action is used to add bans to the mod_ban
lists.  For example, to ban a user:
ftpdctl ban user daveTo ban specific hosts, you can use either IP addresses or DNS names:
ftpdctl ban host 1.2.3.4 5.6.7.8 ftpdctl ban host gw.evil.comBanning a class works the same way:
ftpdctl ban class anonftp
The info parameter is used to view information on current bans. Example listing:
# ftpdctl ban info ftpdctl: Banned Hosts: ftpdctl: 127.0.0.1Or, if you wish to see more information, use the
-v option:
# ftpdctl ban info -v ftpdctl: Banned Hosts: ftpdctl: 127.0.0.1 ftpdctl: Reason: MaxLoginAttempts autoban at Wed May 19 14:59:25 2004 ftpdctl: Expires: Wed May 19 14:59:55 2004 (in 24 seconds)It is also possible to see the state of ban event rules, using the
-e option:
# ftpdctl ban info -e ftpdctl: No bans ftpdctl: ftpdctl: Ban Event Entries: ftpdctl: Event: MaxLoginAttempts ftpdctl: Source: 127.0.0.1 ftpdctl: Occurrences: 1/2 ftpdctl: Entry Expires: 589 secondsThis shows that no bans are currently in effect, and that a
BanOnEvent has been configured for the
MaxLoginAttempts event.  That event has occurred once, and
will need to happen one more time within 589 seconds in order for an
automatic ban to be added.
See also: permit
permit
The permit action is used to remove a ban for users, hosts,
and classes:
ftpdctl permit user dave ftpdctl permit host 1.2.3.4 gw.evil.com ftpdctl permit class anonftp
See also: ban
mod_ban, copy the mod_ban.c file
into:
proftpd-dir/contrib/after unpacking the latest proftpd-1.2.x source code. Then follow the usual steps for using third-party modules in proftpd, making sure to include the
--enable-ctrls configure option, which mod_ban
requires:
./configure --enable-ctrls --with-modules=mod_ban make make install
mod_ban module implements its bans by checking if a client
is banned, either by host or by class, when that client connects to the
server.  Banned clients are immediately disconnected.  Banned users are
checked after the client has sent the USER and PASS
commands; if that user has been banned, the client is immediately disconnected.
Here is an example mod_ban configuration, demonstrating how
to configure an automatic ban for MaxLoginAttempts:
  MaxLoginAttempts 1
  <IfModule mod_ban.c>
    BanEngine on
    BanLog /var/log/proftpd/ban.log
    BanTable /var/data//proftpd/ban.tab
    # If the same client reaches the MaxLoginAttempts limit 2 times
    # within 10 minutes, automatically add a ban for that client that
    # will expire after one hour.
    BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
    # Allow the FTP admin to manually add/remove bans
    BanControlsACLs all allow user ftpadm
  </IfModule>
Default list size, BAN_LIST_MAXSZ, configuring using CFLAGS
Frequently Asked Questions
Question: Why does mod_ban not store ban data across daemon stop/starts?
Answer: The mod_ban module was not
designed to add yet another ACL mechanism to proftpd.  For
persistent access control, there is the <Limit LOGIN>
section, the mod_wrap module, the /etc/ftpusers
file, and various other mechanisms.  The purpose of mod_ban
is to provide dynamic, short-lived bans.
Question: What about having proftpd delay sending responses to clients, say by 30 seconds or so?
Answer:  This is a bad idea.  It would allow
malicious clients, who knew they were banned, to tie up your
proftpd processes, since those processes would be taking up
space, waiting before sending responses back to the client.  This makes it
possible for those clients to use the delaying as a Denial of Service attack,
eventually tying up your available system resources with waiting
proftpd processes.