Use iptables to fw the ip,
do a whois on the ip to find out who owns it. Also check the reverse lookup
See if there is a web server running at the ip address, if yes see what
the content is.
Finally contact the owner of the IP as the ip address may be that of a
box that has been used as a staging post and it has been compromised itself.
If vsftp uses the TCP wrapper, you can specify the frequency and number
of connections in hosts.allow, I don't use vsftp but I don't actually
think it does use the wrapper, but it can be configured to...
This article shows both method of running it:
http://www.linuxfocus.org/English/July2004/article341.shtml
This might be useful too:
http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/
Hope this helps
P.
John Hinton wrote:
> Seems the script kiddies are now hitting vsftp with dictionary
> attacks. I had three boxes showing around 12000 attempts from one IP
> yesterday.
>
> My thoughts are that there should be an upstream solution for this
> which is then supported by the upstream vendor. Yes, I know there are
> several 'other' solutions, but I'd really like to stay mainstream and
> use a supported method for dealing with these issues. I can't help but
> view them as security issues.
>
> Best,
> John Hinton
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
