Deny ftp acces from foreign country

    Hello :)


    My server was cracked and my domains files was infected with malicious scripts. I'm working from my home, I'm the only server admin but someone could crack my ftp or mysql "server". I don't know how but stole the ftp passwords.


    I'm using fail2ban for secure my server. I seen the log and no one try to hack my ftp, so the problem come from another way...


    Can someone help me how can I restrict the ftp login from foreign country? In proftpd config I setting up AllowForeignAddress off, but I don't know this help me...


    I'm using i-MSCP 1.1.0-beta2, phpmyadmin 3.5.3, ProFTPD 1.3.4a


    Ps. In i-MSCP config I restricted the login from foreign country for admin/reseller/user..


    Thanks everyone who can help me...

    Edited once, last by gabesz86 ().

    the most common are unsecure passwords
    old or not updated scripts on web-sites
    unsecure ssh access


    as long as you don´t know how the server was compromized take the server offline and analyse the log-files.


    if your ssh-access was compromized then only a new server setup will be secure.


    I'm using fail2ban to secure my ftp and ssh. I seen the fail2ban log file, the ssh was attacked but blocked the attacker's IP but the proftpd didn't attacked (no ftp attack entry in the fil2ban log). After I saw the proftpd log files and I seen the attacker knew the ftp names and passwords. This datas stored only the i-MSCP database and the users know this data too. The IP what attacked the ssh and the IP's (more than one) what login the ftp accounts doesn't match.

    don´t trust to much on fail2ban it only can help to secure but not to 100%
    a iptables based firewall will do a better job


    much depending on how your server was compromized you never can be sure thru wich real ip it was done. so just block a ip or a ip-range can give a zero result.


    contact the isp to the ip wich is under suspicion and ask them if they can find such connections to your server in theire logs.


    but eaven then you don´t know how/why the usernames and passwords where accessable. so at the moment may your system is not secure at all.

    yeh I know. Thats why I want to disbale login to ftp from foreign country. Have no idea how can I make it? :D I'm using Ubuntu 12.04LTS and proftpd

    i gave you allready the hint to iptables. there you can define rules to access ftp.


    you can eaven work with hosts.deny and hosts.allow


    but if i was your customer and could not reach my ftp from anywhere then i would be really p.....(a bad word)


    found this one:
    http://www.castaglia.org/proft…/internals/ftpaccess.html

    In /var/log/xferlog or something like that you can see all ftp connections to your server and uploaded/downloaded files. If your server was infected via ftp, it's also possible, that your client computer is unsecure. There are some trojan horses which are searching for filezilla/eclipse/etc. ftp passwords and using them to attack your server.
    Check your computer and change all passwords. Because of this attack scenario ftp accounts should just used by one person. So later you can check which computer was infected with a trojan horse.

    Quote from Ninos


    In /var/log/xferlog or something like that you can see all ftp connections to your server and uploaded/downloaded files. If your server was infected via ftp, it's also possible, that your client computer is unsecure. There are some trojan horses which are searching for filezilla/eclipse/etc. ftp passwords and using them to attack your server.
    Check your computer and change all passwords. Because of this attack scenario ftp accounts should just used by one person. So later you can check which computer was infected with a trojan horse.


    I checked my log and yes infected my files via ftp. I don't know what happening now but some of friends said that happening with too. Now I reinstalled two another website which not stored on my server. Anyway I try to make a SFTP with pro ftpd. I checked google and I'm going to try it. I hope this will make more security. If I have make it I will contact the dev team and make a wiki doc :D