hi, im recieving this in my email

The remote system 222.78.128.90 was found to have exceeded acceptable login
failures on sv2.mydomain.net. As such the attacking host has been banned
from further accessing this system; for the integrity of your host you should
investigate this event as soon as possible.


my i know how to investigate further this type of attacks?

thanks.

Is that IP from any clients of yours? You can log in and view /var/log/secure and see what's the login that was being attempted and such.

There's probably not much action needed for now since that IP is already banned on your firewall.

thanks sprintserve

i don't recognize that ip, i've checked /var/log/secure & found lots of this

May 24 21:31:25 sv2 proftpd[23864]: sv2.mydomain.net (222.78.128.90[222.78.128.90]) - USER Download: no such user found from 222.78.128.90 [222.78.128.90] to 65.75.183.160:21

what is he trying to download?

He's trying to login using the user Download (which don't exist). If it is a different user in each instance, he's trying to bruteforce. You don't have to worry about it though as he's already blocked on the firewall now.