Detecting FTP Brute Force Attack
Here are some simple commands that may help to detect attempts to hack your FTP server with a brute-force "password guessing" attack.
1. Count the number of running FTP processes.
This number may be much higher than usual during brute-force attack.
2. Check, in real time, if brute-force attempts persist.
NOTE : The next parameters may be different, depending on your system :
- /var/log/vsftpd.log - path to FTP logs;
- FAIL LOGIN - message that detects an attempt to log into the ftp server with a wrong login or password;
- OK LOGIN - message that detects successful authentication.
3. Get the attacker's IP address by counting "FAIL LOGIN" answers.
4. Check if attack was succeed by parsing the log file with "OK LOGIN" answer and attacker's IP address e.g. 192.168.1.2.
5. Block the attacker's IP address.
The easiest way is to add the attackers IP address to '/etc/hosts.deny' file.
See examples below :
Block all services for IP address '192.168.1.2'.
Block all services for IP addresses '192.168.1.2' and '192.168.1.3'.