Thanks for the reply! Here's a snippet of my messages log, the only thing that happened was hundreds of failed logins, and if they're DoS'ing, I would expect it to come from multiple IP's (but I may be way off base...). Thanks for your help!
Code:
May 4 09:46:16 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May 4 09:46:20 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
May 4 09:46:20 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May 4 09:46:27 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
May 4 09:46:27 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May 4 09:46:31 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
May 4 09:46:31 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May 4 09:46:35 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
May 4 09:46:35 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May 4 09:46:39 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
May 4 09:46:39 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May 4 09:46:43 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
As an immidiate, but temporary, fix, I've added the offending IP's to iptables, droping any connections from them. You mentioned that maybe better firewall rules would help, but that, are you refering to limiting connections etc...? The difficulty I have with setting a limit on connections is it already causes hell with SSH when people are running things that can't do connection multiplexing. FTP might be better since it doesn't intiate a ton of connections, but it's still possible that somebody might connect 10 times in 10 minutes, legitimately. Thanks for the input!!
Mike.