Re: Massive failed FTP attempts.

[Oumar Niane <jpon () jpon org>]

Hi Michael,

On Fri, Aug 31, 2007 at 08:32:39PM -0700, Michael Nielson wrote :
> first what are they trying to do? Crack my password?

Yes. It looks like a brute force attack.

> Or exploit a bug with proftpd?

May be the next step ;-)

> More important what can I do to limit the number of attempts on my
> server?

You can try these iptables rules ( man iptables for details ):

iptables -A INPUT -p tcp --dport 21 -m recent --update --seconds 60 --hitcount 4 --name FTP -j DROP
iptables -A INPUT -p tcp --dport 21 -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

Or if you don't write your own iptables rules, give a try to fail2ban
http://fail2ban.sourceforge.net/

Besides, as others already suggest, you can use a random port instead of
the default port 21. Most important, make sure your version of proftpd
is up to date.

Hope this helps,

Oumar

-- 
One OS to rule them all,
One OS to find them.
One OS to call them all,
And in salvation bind them.
In the bright land of Linux,
Where the hackers play.
(J. Scott Thayer, with apologies to J.R.R.T.)