Detecting FTP Brute Force Attack

Here are some simple commands that may help to detect attempts to hack your FTP server with a brute-force "password guessing" attack.

1. Count the number of running FTP processes.

This number may be much higher than usual during brute-force attack.
$ ps -ef | grep -i ftp | grep -v grep -c
2. Check, in real time, if brute-force attempts persist.
$ tail -f /var/log/vsftpd.log | grep -i "FAIL LOGIN"
NOTE : The next parameters may be different, depending on your system :

  • /var/log/vsftpd.log - path to FTP logs;
  • FAIL LOGIN - message that detects an attempt to log into the ftp server with a wrong login or password;
  • OK LOGIN - message that detects successful authentication.

3. Get the attacker's IP address by counting "FAIL LOGIN" answers.
$ grep -i "FAIL LOGIN" /var/log/vsftpd.log | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -rn | more
4. Check if attack was succeed by parsing the log file with "OK LOGIN" answer and attacker's IP address e.g.
$ grep -i "OK LOGIN" /var/log/vsftpd.log | grep
5. Block the attacker's IP address.

The easiest way is to add the attackers IP address to '/etc/hosts.deny' file.

See examples below :

Block all services for IP address ''.
Block all services for IP addresses '' and ''.