I'm using a licensed Core FTP server and are reciving these connections strings in my log. Is it possible to connect the server whitout a user name?
I do have lots of these examples in my log, but they all have different IP-number. Connection time always seems to be less then 10 seconds.
[#1] [20061206 05:46:54] [65.111.166.200] connecting
[#1] [20061206 05:46:54] [65.111.166.200] connected
[#1] [20061206 05:47:03] [65.111.166.200] disconnected ((null))
Server configuration: SSH/SFTP only.
Block bounce attacks/FTP is checked
Please, I would like a explanation to those connections.
Unknown connections?
My port 22 gets scanned daily by about 3 or 4 different IP's. They are defintely bots or hackers. whois usually shows them coming from Asia pacific or amsterdam areas and all our employees are in US. So I add them to the banned list.
My question is ... is it worth reporting these IP's to the abuse@whatevertheISPis. I have the IP and time of attempted login, so shouldn't they be able to find them or is it a waste of my time
Also, shouldn't coreftp server outright refuse connection vice showing connected for say 10sec then dropping them as (NULL)?
My question is ... is it worth reporting these IP's to the abuse@whatevertheISPis. I have the IP and time of attempted login, so shouldn't they be able to find them or is it a waste of my time
Also, shouldn't coreftp server outright refuse connection vice showing connected for say 10sec then dropping them as (NULL)?
The ip is being reported in the log just fine... I guess I misunderstand what it is telling me.
IP sosandso attempted login (null)
10 secs later connection dropped.
That tells me they are attempting connection...
they already are on my ban list, I would like to see something that say connection refused in my log and why... username? password? authentication? or banned IP?
Edit:
[20070215 17:14:00] [220.95.216.67] connecting
[#1] [20070215 17:14:00] [220.95.216.67] denied
[#1] [20070215 17:24:37] [220.95.216.67] connecting
[#1] [20070215 17:24:37] [220.95.216.67] denied
OK that works. The log file is defintely telling me that is a banned IP. Cool.
IP sosandso attempted login (null)
10 secs later connection dropped.
That tells me they are attempting connection...
they already are on my ban list, I would like to see something that say connection refused in my log and why... username? password? authentication? or banned IP?
Edit:
[20070215 17:14:00] [220.95.216.67] connecting
[#1] [20070215 17:14:00] [220.95.216.67] denied
[#1] [20070215 17:24:37] [220.95.216.67] connecting
[#1] [20070215 17:24:37] [220.95.216.67] denied
OK that works. The log file is defintely telling me that is a banned IP. Cool.
I am also getting alot of these unwanted knocks at my server, too. Here is what my log shows:
[#4] [20070415 11:00:04] [85.234.132.183] connecting
[#4] [20070415 11:00:04] [85.234.132.183] connected
[#4] [20070415 11:00:04] [85.234.132.183] disconnected ((null))
[#4] [20070415 11:00:28] [85.234.132.183] connecting
[#4] [20070415 11:00:28] [85.234.132.183] connected
[#4] [20070415 11:00:36] [85.234.132.183] disconnected ((null))
[#4] [20070415 15:00:44] [61.237.225.235] connecting
[#4] [20070415 15:00:44] [61.237.225.235] connected
[#4] [20070415 15:00:44] Winsock error - 10054
[#4] [20070415 15:00:44] [61.237.225.235] disconnected ((null))
[#4] [20070415 15:01:40] [61.237.225.235] connecting
[#4] [20070415 15:01:40] [61.237.225.235] connected
[#4] [20070415 15:01:49] [61.237.225.235] disconnected ((null))
[#4] [20070415 16:44:51] [194.9.79.124] connecting
[#4] [20070415 16:44:51] [194.9.79.124] connected
[#4] [20070415 16:44:51] [194.9.79.124] disconnected ((null))
[#4] [20070415 16:45:12] [194.9.79.124] connecting
[#4] [20070415 16:45:12] [194.9.79.124] connected
[#4] [20070415 16:45:25] [194.9.79.124] disconnected ((null))
Let's presume it is a hacker bot doing a scan on me.
Why does it report "connected" (briefly, I know, but still scary).
If it's not really getting connected, what is it that is keeping it from getting into my server?
Now that it has found me, why isn't it trying "anonymous" or some other login attempt?
Thanks for any info. Sorry to keep going on about this topic.
[#4] [20070415 11:00:04] [85.234.132.183] connecting
[#4] [20070415 11:00:04] [85.234.132.183] connected
[#4] [20070415 11:00:04] [85.234.132.183] disconnected ((null))
[#4] [20070415 11:00:28] [85.234.132.183] connecting
[#4] [20070415 11:00:28] [85.234.132.183] connected
[#4] [20070415 11:00:36] [85.234.132.183] disconnected ((null))
[#4] [20070415 15:00:44] [61.237.225.235] connecting
[#4] [20070415 15:00:44] [61.237.225.235] connected
[#4] [20070415 15:00:44] Winsock error - 10054
[#4] [20070415 15:00:44] [61.237.225.235] disconnected ((null))
[#4] [20070415 15:01:40] [61.237.225.235] connecting
[#4] [20070415 15:01:40] [61.237.225.235] connected
[#4] [20070415 15:01:49] [61.237.225.235] disconnected ((null))
[#4] [20070415 16:44:51] [194.9.79.124] connecting
[#4] [20070415 16:44:51] [194.9.79.124] connected
[#4] [20070415 16:44:51] [194.9.79.124] disconnected ((null))
[#4] [20070415 16:45:12] [194.9.79.124] connecting
[#4] [20070415 16:45:12] [194.9.79.124] connected
[#4] [20070415 16:45:25] [194.9.79.124] disconnected ((null))
Let's presume it is a hacker bot doing a scan on me.
Why does it report "connected" (briefly, I know, but still scary).
If it's not really getting connected, what is it that is keeping it from getting into my server?
Now that it has found me, why isn't it trying "anonymous" or some other login attempt?
Thanks for any info. Sorry to keep going on about this topic.
[quote="CP"]Unless you've blocked all IP addresses that you don't want to connecting to your server, anyone on the internet can attempt to connect to it. Your server is waiting for connections (in this case 22). Any program that can make a TCP socket connection can connect to your server. Most of the time it's a program scanning computers, looking to see what services are running on them.
Unless you see a command issuing any "user" commands, there isn't a way someone is going to log in. If you don't see any commands being issued, nothing is happening. Core FTP Server also only currently (at the time of this post) supports the SFTP protocol, no shell access, etc. It's a very specific protocol (SFTP) that is supported. If someone is accessing your computer, you will definitely see it in the log.[/quote]
great - thanks for your words of wisdom.
Unless you see a command issuing any "user" commands, there isn't a way someone is going to log in. If you don't see any commands being issued, nothing is happening. Core FTP Server also only currently (at the time of this post) supports the SFTP protocol, no shell access, etc. It's a very specific protocol (SFTP) that is supported. If someone is accessing your computer, you will definitely see it in the log.[/quote]
great - thanks for your words of wisdom.