RE: Massive failed FTP attempts.

["Mark Sutton" <msutton () moltenplanet com>]

Hi Michael;

It sounds like a dictionary attack on the passwords of standard usernames.
As the IP is moving blacklisting the IPs won't work, you won't be able to
stop them trying to hack you either, however unless the scans are totally
random, they will first determine you have an FTP server and then try to
hack it. As scans for servers tend to focus on the default ports you could
change these on your external router so that they are less likely to
determine you have one by scanning.

Cheers Mark 

-------------------------------------
Mark Sutton : CISSP
Technical Consultant
Weebsite : www.moltenplanet.com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Michael Nielson
Sent: 01 September 2007 04:33
To: security-basics () securityfocus com
Subject: Massive failed FTP attempts.

I run several small LAMP virtual servers, I've noticed a large amount of 
failed FTP login attempts, these all attempt to login with common FTP 
usernames like Administrator, or webmaster (the FTP server is proFTPd 
version 1.2.10).  The attacker will try from one IP address maybe 30 or 
40 times and then moving to a new IP address.  I have several questions, 
first what are they trying to do? Crack my password? Or exploit a bug 
with proftpd?  I've been more diligent about choosing a difficult to 
break password.  More important what can I do to limit the number of 
attempts on my server? 
Thanks tons!
Michael