Originally Posted by tonechild
That's great it is denying it. What about this?
eb 20 07:53:00 ip-97-74-83-225 xinetd: START: ftp pid=1192 from=::ffff:220.127.116.11
Feb 20 07:53:00 ip-97-74-83-225 proftpd: 127.0.0.1 (18.104.22.168[22.214.171.124]) - FTP session opened.
Feb 20 07:53:00 ip-97-74-83-225 proftpd: 127.0.0.1 (126.96.36.199[188.8.131.52]) - FTP session closed.
Feb 20 07:53:00 ip-97-74-83-225 xinetd: EXIT: ftp status=0 pid=1192 duration=0(sec)
Does this mean someone successfully logged in via FTP?
Do you need ftp access on this server?
If you do not need ftp access (turn it off
If you do need FTP access here is what I would do, create a ipchain rule in netfilter to LIMIT
the access to ftp. (through a specific IP and/or ip subnet range.
With the massive number of exploited/hacked servers/home_pc's you do not want a buffet for people to soak your server and/or run dictionary attacks on it.
If you cannot limit the ip range via an ip and/or ip subnet range, put in a connection limit (ipchain rule) and/or install fail2ban to keep rouge traffic at bay.
This IP address also has a lot of ports opened on it, so someone may be using it for something they should not be doing (just a suggestion not implying this is the case)...