Catch hacker in action
I have caught a hacker after looking through my site's FTP logs - it looks as if they have gleaned a list of passwords for several of my sites and are now connecting on a daily basis to upload spammy PHP files that perform header redirects to their sites. They always connect from the same IP address.
Blocking that IP and changing the FTP passwords is a given, but it seems so mundane and submissive. Is there anything I can do to this guy as he connects or once he's already in the system?
Change your FTP port. Most script kiddies use a port scanner to scan a list of IP addresses for TCP services. They mostly look for port 21.
Disable root login for SSH.
You mentioned this before, but make sure your password is secure and not written down on a post-it note on you computer monitor.