Here are some simple commands that may help to detect attempts to hack your FTP server with a brute-force “password guessing” attack.
1. Count the number of running FTP processes.
This number may be much higher than usual during brute-force attack.
$ ps -ef | grep -i ftp | grep -v grep -c
2. Check, in real time, if brute-force attempts persist.
$ tail -f /var/log/vsftpd.log | grep -i "FAIL LOGIN"
NOTE: The next parameters may be different, depending on your system:
- /var/log/vsftpd.log – path to FTP logs;
- FAIL LOGIN – message that detects an attempt to log into the ftp server with a wrong login or password;
- OK LOGIN – message that detects successful authentication.
3. Get the attacker’s IP address by counting “FAIL LOGIN” answers.
$ grep -i "FAIL LOGIN" /var/log/vsftpd.log | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -rn | more
4. Check if attack was succeed by parsing the log file with “OK LOGIN” answer and attacker’s IP address e.g. 192.168.1.2.
$ grep -i "OK LOGIN" /var/log/vsftpd.log | grep 192.168.1.2
5. Block the attacker’s IP address.
The easiest way is to add the attackers IP address to ‘/etc/hosts.deny’ file.
See examples below:
Block all services for IP address ‘192.168.1.2’.
ALL: 192.168.1.2
Block all services for IP addresses ‘192.168.1.2’ and ‘192.168.1.3’.
ALL: 192.168.1.2 192.168.1.3