In the example an attack is launched from the server mars to the server venus. The usernames and passwords files have been trimmed to only use 16 usernames and 9 passwords. mars:> ./fastbrute venus fastbrute ver 0.50a Started... (Loaded 16 usernames, 9 passwords) tried 0 FOUND: bfuser4 pass3 tried 24 tried 48 tried 72 tried 96 tried 120 Finished. It has found a pair "bfuser4/pass3", a dummy account that was created to confirm that the attack is working. While this has been running, in another window we check what is happening on the network, mars:> snoop -ta port 21 Using device /dev/hme (promiscuous mode) 13:27:44.34323 venus -> mars FTP R port=53884 530 Login incorrect. 13:27:44.34372 mars -> venus FTP C port=53884 USER bfuser1\nPASS p 13:27:44.35921 venus -> mars FTP R port=53884 331 Password require 13:27:44.40029 mars -> venus FTP C port=53884 13:27:44.50319 venus -> mars FTP R port=53882 530 Login incorrect. 13:27:44.50369 mars -> venus FTP C port=53882 USER bfuser2\nPASS p We can see it is working. On venus we check if this attack has been noticed, venus:> tail -5 /var/log/messages Oct 24 13:27:45 localhost ftpd: mars: connected: IDLE [7389]: failed login from mars [192.168.1.1] Oct 24 13:27:45 localhost ftpd: mars: connected: IDLE [7389]: failed login from mars [192.168.1.1] Oct 24 13:27:45 localhost ftpd: mars: connected: IDLE [7389]: failed login from mars [192.168.1.1] Oct 24 13:27:45 localhost ftpd: mars: connected: IDLE [7389]: failed login from mars [192.168.1.1] Oct 24 13:27:45 localhost ftpd: mars: connected: IDLE [7389]: failed login from mars [192.168.1.1] It has, confirming ftpd is reporting this attack correctly. Does your ftp server correctly report brute force attacks? This tool can help you check.