Detecting FTP Brute Force Attack

Here are some simple commands that may help to detect attempts to hack your FTP server with a brute-force “password guessing” attack.

1. Count the number of running FTP processes.

This number may be much higher than usual during brute-force attack.

$ ps -ef | grep -i ftp | grep -v grep -c

2. Check, in real time, if brute-force attempts persist.

$ tail -f /var/log/vsftpd.log | grep -i "FAIL LOGIN"

NOTE: The next parameters may be different, depending on your system:

  • /var/log/vsftpd.log – path to FTP logs;
  • FAIL LOGIN – message that detects an attempt to log into the ftp server with a wrong login or password;
  • OK LOGIN – message that detects successful authentication.

3. Get the attacker’s IP address by counting “FAIL LOGIN” answers.

$ grep -i "FAIL LOGIN" /var/log/vsftpd.log | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -rn | more

4. Check if attack was succeed by parsing the log file with “OK LOGIN” answer and attacker’s IP address e.g. 192.168.1.2.

$ grep -i "OK LOGIN" /var/log/vsftpd.log | grep 192.168.1.2

5. Block the attacker’s IP address.

The easiest way is to add the attackers IP address to ‘/etc/hosts.deny’ file.

See examples below:

Block all services for IP address ‘192.168.1.2’.

ALL: 192.168.1.2

Block all services for IP addresses ‘192.168.1.2’ and ‘192.168.1.3’.

ALL: 192.168.1.2 192.168.1.3