We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Enable module ip_conntrack_ftp and xtables-addons (for TARPIT) on VPS Classic

2015-07-30, 02:18 PM

I would like to install security on my VPS (debian 7 wheezy) which is a FTP server (pure-ftpd) and WEB server (nginx).

Well, I have 2 problems :

1° / I found a firewall script (with iptables) which needs ip_conntrack_ftp but this module is not on my kernel [ 2.6.32-042stab108.5 ].
The state ESTABLISHED is no longer recongnized after the connexion on 21.
[And although my FTP passive range in PureFTPd is 40110 to 40210 ; I noticed that the source port didn't respect this range so I had to write --sport 1024:65535 instead of --sport 40110:40210 ... but the destination-port respect the passive range ^^ ]
# FTP Connexion
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# Then FTP Passive Connections (transfer data) when the connexion is successfull  : 
iptables -A INPUT -p tcp --sport 40110:40210 --dport 40110:40210  -m state --state ESTABLISHED -j ACCEPT

#But in my case, I had to open to all the states :
iptables -A INPUT -p tcp --sport 1024:65535 --dport 40110:40210 -j ACCEPT

2°/ Then in fail2ban, I had another problem, I would like to write an action that use TARPIT but the module xtables-addons isn't enable as well.
actionban = iptables -I fail2ban- 1 -s  -j TARPIT
	    iptables -I fail2ban- 1 -s  -j DROP
I tried to install :
apt-get update
apt-get install iptables module-assistant xtables-addons-common
module-assistant --verbose --text-mode auto-install xtables-addons
iptables -A INPUT -p tcp --dport 999 -j TARPIT
The answer is "iptables: No chain/target/match by that name".

Thank you for all the help. (English is not my native language.)
Any clue is welcome.