Short story long,

Running a Linksys RV082 firwall with a IIS 5.0 (W2k) machine as an ftp server.

We've had many people from overseas attack the site attempting to crack the password, usually very generic login names. none have been even close but this is a continuing attck. Initally the owner was blocking there WAN IP in the firewall by doing dnstools lookup.

Currently, we now have all trusted WAN Ip from customers accessing the FTP setup as port 21 Allowed. Everyone else is using default 21 Deny. Full access to LAN.

Yet were still getting logs like such:
2009-07-06 01:14:26 - MSFTPSVC1 DATA1 192.168.*.* 21 [62]PASS - 530 1326
2009-07-06 01:14:27 Administrator MSFTPSVC1 DATA1 192.168.*.* 21 [62]USER Administrator 331 0

We adjsuted IIS to do the same thing as the firewall and deny all and only allow our trusted WAN IPs but then we started having other issues with users not being able to log in. (after running a microsoft fix that undid those changes ) were back to square one.

Any idea how this is possible? I've had many people go over our firewall and it appears to be solid. A sheilds up test however will show the port as open. (when done from the ftp server)

Please help!