Use iptables to fw the ip,

do a whois on the ip to find out who owns it. Also check the reverse lookup

See if there is a web server running at the ip address, if yes see what the content is.

Finally contact the owner of the IP as the ip address may be that of a box that has been used as a staging post and it has been compromised itself.

If vsftp uses the TCP wrapper, you can specify the frequency and number of connections in hosts.allow, I don't use vsftp but I don't actually think it does use the wrapper, but it can be configured to...

This article shows both method of running it:

http://www.linuxfocus.org/English/July2004/article341.shtml

This might be useful too:

http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/

Hope this helps

P.

John Hinton wrote:

Seems the script kiddies are now hitting vsftp with dictionary attacks. I had three boxes showing around 12000 attempts from one IP yesterday.

My thoughts are that there should be an upstream solution for this which is then supported by the upstream vendor. Yes, I know there are several 'other' solutions, but I'd really like to stay mainstream and use a supported method for dealing with these issues. I can't help but view them as security issues.

Best, John Hinton _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos