[CentOS] First SSH now VSFTP

Sun Apr 9 23:03:10 UTC 2006
Peter Farrow <peter at farrows.org>

Use iptables to fw the ip,

do a whois on the ip to  find out who owns it. Also check the reverse lookup

See if there is a web server running at the ip address, if yes see what 
the content is.

Finally contact the owner of the IP as the ip address may be that of a 
box that has been used as a staging post and it has been compromised itself.

If vsftp uses the TCP wrapper, you can specify the frequency and number 
of connections in hosts.allow,  I don't use vsftp but I don't actually 
think it does use the wrapper, but it can be configured to...

This article shows both method of running it:


This might be useful too:


Hope this helps


John Hinton wrote:
> Seems the script kiddies are now hitting vsftp with dictionary 
> attacks. I had three boxes showing around 12000 attempts from one IP 
> yesterday.
> My thoughts are that there should be an upstream solution for this 
> which is then supported by the upstream vendor. Yes, I know there are 
> several 'other' solutions, but I'd really like to stay mainstream and 
> use a supported method for dealing with these issues. I can't help but 
> view them as security issues.
> Best,
> John Hinton
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos