0

I have a website that gets about 2000 visitors/month, but I'm also getting about 500 break-in attempts per day. In auth.log every few minutes I get a 8 of these:

Oct 19 16:34:14 main-srv vsftpd[7361]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testuser rhost=188.163.79.28
Oct 19 16:34:10 main-srv vsftpd[7354]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test123 rhost=188.163.79.28
Oct 19 16:34:06 main-srv vsftpd[7351]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=188.163.79.28

A few minutes later, I get another 8 with the same user names, but from a different IP address. It seems they're using a proxy or TOR network to attack from different places. Or is it possible they're spoofing the IP addresses? In either case, how can I block this traffic (proxy/tor/spoofed IP)?

ierdna
  • 111
  • 4
  • Why not deny everyone but yourself? – alexus Oct 19 '16 at 21:20
  • I wish! I have a couple of site admins that access it from their homes/offices/phones – ierdna Oct 19 '16 at 21:44
  • again by white-listing site admins entire network, you'll get 99% less bad traffic vs what you're getting now and/or implement openvpn or similar and/or change port to non standard port. – alexus Oct 19 '16 at 21:46
  • yeah, i ended up changing the port, seemed like the easiest solution – ierdna Oct 20 '16 at 01:10

0 Answers0