VSFTP and USER commands
 

Getting massive hits on this command:

Mon Jan 14 04:53:36 2008 [pid 22609] FTP command: Client "201.48.158.12", "USER Administrator"
Mon Jan 14 04:53:36 2008 [pid 22609] [Administrator] FTP response: Client "201.48.158.12", "530 Non-anonymous sessions must use encryption."

Recently moved to the stand alone and a random port. Should prevent a few...

Anything to prevent these brute force attacks?

I throttle the port connection but does nothing once someone is connected.

Doubt is these hurt me, just annoying, large log files, 15MB once. Definitely a good reason to have a separate file system for /var or email and truncate the log fails like I do :)

Thanks.

set iptables to block the ips

Yeah started that too, most are from other countries...

Just bocking the whole range...211.*.*.*, etc.

1. Disallow FTP access to all administrator accounts entirely, as they are role accounts, and therefore do not properly tie logged events to a single, actual person.
2. Don't leave freakin' FTP open to the entire planet unless you want the entire planet accessing it. `man 5 hosts_access` because everything that doesn't suck will at least include tcp_wrappers suppport.

...
3. If you have users that only need FTP access try using virtual users.
4. Review your vsftp.conf because you can set up restrictions there.
5. Implement something like Fail2ban next to tcp_wrappers.

Thanks for the replies.

I ended up scratching the ftp for sftp, since I have ssh already tightly secure.

If I end up needing ftp over sftp I'll be sure to use your suggestions.

Thanks again.

Screw that. Find a way to never have to use ftp again. HTTP made it obsolete, and scp is more secure.

HTTP doesn't let you always resume, FTP - does (at least what I know). Try sftp instead of scp (it's more convenient).