I have a website that gets about 2000 visitors/month, but I'm also getting about 500 break-in attempts per day. In auth.log
every few minutes I get a 8 of these:
Oct 19 16:34:14 main-srv vsftpd[7361]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testuser rhost=188.163.79.28
Oct 19 16:34:10 main-srv vsftpd[7354]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test123 rhost=188.163.79.28
Oct 19 16:34:06 main-srv vsftpd[7351]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=188.163.79.28
A few minutes later, I get another 8 with the same user names, but from a different IP address. It seems they're using a proxy or TOR network to attack from different places. Or is it possible they're spoofing the IP addresses? In either case, how can I block this traffic (proxy/tor/spoofed IP)?