Fail2Ban/IPTables & Pure-Ftpd

Question

I have pure-ftpd running on web server with Fail2Ban. Fail2Ban is letting apache2 connections in but are denying any FTP connection from anything but local host. I have attempted to modify the jail.local and jail.conf files but I am still having issues.

Here is the pure-ftpd section of my jail.local file:

[pure-ftpd]
enabled = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = pure-ftpd
logpath  = /var/log/auth.log
maxretry = 6

Here is a view of my iptables -L -n:

Chain INPUT (policy DROP)
target     prot opt source               destination
fail2ban-postfix  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
fail2ban-dovecot  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
fail2ban-roundcube  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
fail2ban-pure-ftpd  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 21,20,990,989
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-dovecot (1 references)

If I run the following commands manually FTP works (as active, still can't get passive to work), but I really want to get this working with Fail2Ban:

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT

Any ideas on how to get the fail2ban to configure iptables correctly? If not, what rules do I need to set to get active and passive FTP working correctly?

score 2 · Answer 1 · answered Feb 19 '14 at 18:57

2

I found the default IPTABLES configuration at /etc/default/iptables and added the following and restarted the iptables service and ftp is now working:

-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT

answered Feb 19 '14 at 18:57

QuantumPhysGuy

131

score 0 · Answer 2 · answered Feb 09 '18 at 11:52

How to setup passive ports for Pure-FTPd (and setup your firewall):

Set maximum concurrent ftp connections in this file:
```
/etc/pure-ftpd/conf/MaxClientsNumber
```
for example:
```
50
```
Set desired passive port range in this file:
```
/etc/pure-ftpd/conf/PassivePortRange
```
for example:
```
42420 42520
```
Hints:
- Enter two port numbers separated by a space.
- Open twice as much ports, as you've set in MaxClientsNumber, eg. MaxClientsNumber = 50 -> open 100 passive ports.
- Ports have to be in a free port range (not used on your machine by another service yet and not used by any other standard service).
- Passive port range examples: 29100-29200 or 32770-32870 or 42420-42520 or 51899-51999. See full list of standard IP ports here. Check for used ports on your machine with sudo iptables -nvL.
Open ports in firewall:

May I suggest using UFW additionally to iptables? This will mak setting firewall rules much easier for you and also makes your rules presistent.

Whenever changing things on your firewall, take care not to lockout yourself from your machine! Check for port 22/ssh to be open if you are connected via ssh.

Install UFW, deny any incoming traffic (first close everything, then just open the ports needed), open port 22/ssh, then start UFW:
```
sudo apt-get install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
```
Open ports for FTP: (please replace 42420:42520 with your own ports.)
```
sudo ufw allow ftp
sudo ufw allow proto tcp from any to any port 42420:42520
```
Open ports for your webserver:
```
sudo ufw allow http
sudo ufw allow https
```
Open ports for your mailserver: (maybe you don't need all those ports. for good advice see here.)
```
sudo ufw allow 25
sudo ufw allow 110
sudo ufw allow 143
sudo ufw allow 465
sudo ufw allow 587
sudo ufw allow 993
sudo ufw allow 995
sudo ufw allow 4190
```
Finally check your settings and enable them permamently:
```
sudo ufw status verbose
sudo ufw disable
sudo ufw enable
```
Last step: Check again if UFW install did take care of all your prior iptables rules – and if it did not, then remove them manually.
```
iptables -nvL --line numbers
iptables -D INPUT X
```
Replace X with the line number you've read from the output of the first command and repeat (both commands!) for each iptables rule you want to delete.

Especially check for this iptables rule on the IPUT chain again (as seen on your data above) with option '-v' sudo iptables -nvL
```
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
```
If you see column that reads 'lo' in this line then everything is fine and nothing needs to be done here. If there's no 'lo' in this line, this could mean your firewall will accept all traffic on all ports (as if you had no firewall at all) and it should be removed.

Now you should have Pure-FTPd accepting passive ports and UFW setup as simple to handle firewall management.

Fail2Ban/IPTables & Pure-Ftpd

2 Answers2