If the server just lets the foreign party try to log on, there will be many log-on attempts. It would be probably interesting to let someone in and see what will happen then. Experience shows that the interests for the server quickly disappears once the source IP is blocked for a couple of minutes.
fail2ban (http://en.wikipedia.org/wiki/Fail2ban) is a possible way to set this up. On my OpenWRT fail2ban is not available - at least not in the package manager. As it is written in Python, there is a fair chance to get it working on OpenWRT.
In order to secure my vsftpd running on an OpenWRT box, I decided to write myself a Python Application doing practically the same thing as fail2ban does.
If you are interested, you find the the download link at the bottom of the page. Next, I'm going to explain how to set this up this project:
Step 1: Python
Install Python on your OpenWRT machine:
Step 2: Download and Install Ban4vsftpd
The application can be downloaded from source forge (link below). Just upload the file to your router and unzip it there.
Assumed you unzipped it directory in the root user home directory, you have the following Directory Structure:
/root/Band4vsftpd/ <- root directory of installation
src/ <- location of the python files
scripts/ <- location of scripts to modify the firewall
src/config/ <- location of configuration file
After start an additional directory will be created:
blockedIPs/ <- each blocked IP will be one file
Step 3: Configure
The config file can be found under src/config and can be edited with a normal editor.
Key for making the app work is to adjust the logfile key in the Monitor Section.
If you have clients in the local LAN (e.g. an IP cam with motion detection) which frequently upload files, you may want to add these IPs to the passthrough list. IPs in the passthrough list will never be blocked regardless how often they try. The list can have multiple entries separated by ":". IPs are being matched by a simple string compare. For example 10.8.0 will allow all IPs from 10.8.0.1 to 10.8.0.255.
The combination of maxConnect and period determine when a client is blocked. When a client connects more then maxConnect number of times within period seconds, the client will be blocked. The duration of the blocking is specified by blockTime in seconds.
The Logging section defines the logging. The app will write log files up to 1 MB size and will keep the four last files.
The PID (daemonfile key) prevents the app from running twice at the same time. If something crashed and the process is de facto not running, you may have to manually delete this file before the app can start.
Step 4: Decide to run as root (or not)
On OpenWRT normally all apps run as root. It is kind of a risk to do so as an intruder getting hold of the FTP server may immediately do anything on the machine. If you decide to run vsftpd as root (which it does by default), then you may have less of an issue to run this app as root.
The scripts in the scripts/ directory need root privileges as iptables won't be updated otherwise.
Please refer also to the readme.txt in the src directory.
Step 5: Automatic Start on Boot
I decided to extend the file /etc/init.d/vsftpd:
The code in the two red boxes is what is added to the already installed file. It is important to touch the vsftpd.log file, as it will only be created once the first client logs on. The app fill fail, if the file is not (yet) there.
The complete source code is available on source forge: http://sourceforge.net/projects/ban4vsftp/