Automated FTP login attacks

robbbert · 05-29-2007, 07:42 AM

Hi,

There are hundreds and thousands of login attempts per day to our FTP server (pure-ftpd, Ubuntu 7.04). Because of them, other, legal, users are getting timeouts.

This is in /var/log/messages:

Code:

May 27 09:38:38 websrv-lindner pure-ftpd: (?@60-249-208-52.HINET-IP.hinet.net) [INFO] New connection from 60-249-208-52.HINET-IP.hinet.net
May 27 09:38:38 websrv-lindner pure-ftpd: (?@60-249-208-52.HINET-IP.hinet.net) [INFO] PAM_RHOST enabled. Getting the peer address
May 27 09:38:40 websrv-lindner pure-ftpd: (?@60-249-208-52.HINET-IP.hinet.net) [WARNING] Authentication failed for user [Administrator]
May 27 09:38:44 websrv-lindner pure-ftpd: (?@60-249-208-52.HINET-IP.hinet.net) [INFO] PAM_RHOST enabled. Getting the peer address
May 27 09:38:46 websrv-lindner pure-ftpd: (?@60-249-208-52.HINET-IP.hinet.net) [WARNING] Authentication failed for user [Administrator]

How to get rid of them?

(BTW, I've been already able to greatly reduce the number of SSH login attempts by applying advanced techniques with iptables suggested here. Unfortunately, that's a bit high to me, so I'm asking.^^)

Any ideas?

Thanks & cheers
Robert

osor · 05-29-2007, 01:02 PM

Quote:

Originally Posted by robbbert

(BTW, I've been already able to greatly reduce the number of SSH login attempts by applying advanced techniques with iptables suggested here. Unfortunately, that's a bit high to me, so I'm asking.^^)

Forgive me, but I don’t understand what you’re saying here. Do you mean that you tried using the recent match with iptables unsuccessfully for ssh? Or do you mean you used it successfully for ssh, but aren’t sure of how to use it for ftp?

robbbert · 05-29-2007, 02:18 PM

Quote:

Originally Posted by osor

Or do you mean you used it successfully for ssh, but aren’t sure of how to use it for ftp?

That's right. Thanks for the reply.