1834137 Members
2169 Online
110064 Solutions
New Discussion

ftp "attack"?

 
SOLVED
Go to solution
Tim Howell
Frequent Advisor

ftp "attack"?

I am currently (and periodically for the past few days) being ftp'ed repeatedly, as in a couple of times a minute. I can see this in syslog, but since I am not allowing the connection, it only says "FTP session closed". Is there a way I can see what address is doing this so it can be blocked via router or something? I have seen previous post recommending adding the -lv to ftpd, which I have done. But I still only get the afore mentioned message.
TIA
if only we knew...
6 REPLIES 6
Rick Garland
Honored Contributor

Re: ftp "attack"?

By default, the ftp logging is not exhaustive and goes to the syslog.

You can increase the ftp loggin and go to a specific ftp log file.

Search on ftp logging.
RAC_1
Honored Contributor

Re: ftp "attack"?

Doesn't is say from ipaddress/hostname??

Anil
There is no substitute to HARDWORK
A. Clay Stephenson
Acclaimed Contributor
Solution

Re: ftp "attack"?

Issue an inetd -l command which will toggle the logging of inetd. This log will grow quite quickly on a active system but it should capture your data. When you have the intruder, you can issue another inetd -l to toggle the logging off.
If it ain't broke, I can fix that.
Rick Garland
Honored Contributor

Re: ftp "attack"?

Here is a previous thread

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=187078

Doing the search will get all kinds of hits for ftp logging
Biswajit Tripathy
Honored Contributor

Re: ftp "attack"?

One option is to run IPFilter system firewall to block
AND log the ftp session. To do this, configure the
following IPFilter rule:

block in log first proto tcp from any to any port = 21

OR

block return-rst in log first proto tcp from any to any port = 21

The syslog will block and log the connections
attempts along with the IP address of client in
syslog (see logs by ipmon daemon). If you
configure the first rule, the client will keep
retransmitting for few times before giving up. If
you conigure the 2nd rule instead, the client will get
a "Connection refused" message.

- Biswajit
:-)
Tim Howell
Frequent Advisor

Re: ftp "attack"?

A. Clay S. answered my question exactly...Thanks!!!
if only we knew...