Somebody is trying to brute force my FTP server. What should I do?

[Leros]

Somebody is repeatedly trying to login to my FTP server. There are about two attempts every second.

The IP is 200.119.223.247. I did a reverse lookup and its coming from Uruguay.

What should I do?

 

[AgaBoogaBoo]

Block the IP?

 

[AccruedExpenditure]

shut down ftp access until you need to ftp something

 

[Leros]

Originally posted by: AgaBoogaBoo
Block the IP?

He is on my deny list, but the attempted login is still showing up every half second.

He isn't using any of my bandwidth, but my FTP program is using 80% of my CPU.

 

[Cattlegod]

find the entire IP range of Uruguay and block the entire country!

 

[ValkyrieofHouston]

Originally posted by: Leros
Somebody is repeatedly trying to login to my FTP server. There are about two attempts every second.

The IP is 200.119.223.247. I did a reverse lookup and its coming from Uruguay.

What should I do?

There is another site that I visit pretty frequently who was hacked twice just recently. Looked russian or something with a weird name, and then the hackers signature disappeared. That is the first time I have actually seen anything like that. Wow, I knew there were sites to look oup IP locations, did not know you might possibly be able to do a reverse look up. Hmmmm... I learn something new everyday here.

 

[Goosemaster]

sftp?

 

[Leros]

I blocked off the IP at the router. Should I do anything about this guy or just ignore the hundreds of packets bouncing off my router?

 

[skyking]

Originally posted by: Leros
I blocked off the IP at the router. Should I do anything about this guy or just ignore the hundreds of packets bouncing off my router?

Ignore. You'll get used to the kiddies, and they will go way eventually.

 

[BurnItDwn]

As others have said, it's usually best to just block their IP and then ignore.

I sometimes run an nmap on them just to let them know I'm watching them.
Not too long ago a person who was trying to brute force me stuck around on undernet. I just sent him a tell that I had patched my proftpd and that he'd be chrooted with read only access and there's no chance of him causing a buffer underrun. I also told him that he will need a new IP address to try to break into my site. I also let him know that there is no "admin" account, and that root is obviously set to "su only" access (well, aside from physical console anyways). He stopped trying to get into my site.