HPE Community
Operating System - HP-UX
1834137 Members
2169 Online
110064 Solutions
New Discussion

ftp "attack"?

 
SOLVED
Go to solution
Tim Howell
Frequent Advisor

‎04-19-2005 03:51 AM

‎04-19-2005 03:51 AM

ftp "attack"?

I am currently (and periodically for the past few days) being ftp'ed repeatedly, as in a couple of times a minute. I can see this in syslog, but since I am not allowing the connection, it only says "FTP session closed". Is there a way I can see what address is doing this so it can be blocked via router or something? I have seen previous post recommending adding the -lv to ftpd, which I have done. But I still only get the afore mentioned message.
TIA
if only we knew...
0 Kudos
6 REPLIES 6
Rick Garland
Honored Contributor

‎04-19-2005 03:56 AM

‎04-19-2005 03:56 AM

Re: ftp "attack"?

By default, the ftp logging is not exhaustive and goes to the syslog.

You can increase the ftp loggin and go to a specific ftp log file.

Search on ftp logging.
0 Kudos
RAC_1
Honored Contributor

‎04-19-2005 03:57 AM

‎04-19-2005 03:57 AM

Re: ftp "attack"?

Doesn't is say from ipaddress/hostname??

Anil
There is no substitute to HARDWORK
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎04-19-2005 03:58 AM

‎04-19-2005 03:58 AM

Solution

Re: ftp "attack"?

Issue an inetd -l command which will toggle the logging of inetd. This log will grow quite quickly on a active system but it should capture your data. When you have the intruder, you can issue another inetd -l to toggle the logging off.
If it ain't broke, I can fix that.
0 Kudos
Rick Garland
Honored Contributor

‎04-19-2005 04:00 AM

‎04-19-2005 04:00 AM

Re: ftp "attack"?

Here is a previous thread

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=187078

Doing the search will get all kinds of hits for ftp logging
0 Kudos
Biswajit Tripathy
Honored Contributor

‎04-19-2005 06:24 AM

‎04-19-2005 06:24 AM

Re: ftp "attack"?

One option is to run IPFilter system firewall to block
AND log the ftp session. To do this, configure the
following IPFilter rule:

block in log first proto tcp from any to any port = 21

OR

block return-rst in log first proto tcp from any to any port = 21

The syslog will block and log the connections
attempts along with the IP address of client in
syslog (see logs by ipmon daemon). If you
configure the first rule, the client will keep
retransmitting for few times before giving up. If
you conigure the 2nd rule instead, the client will get
a "Connection refused" message.

- Biswajit
:-)
0 Kudos
Tim Howell
Frequent Advisor

‎04-20-2005 01:32 AM

‎04-20-2005 01:32 AM

Re: ftp "attack"?

A. Clay S. answered my question exactly...Thanks!!!
if only we knew...
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.