March 7th, 2003, 08:31 PM
What is this guy trying to do?
Anyway to monitor this or block this IP?
March 10th, 2003, 03:58 AM
Hes just trying to log onto the ftp server without a valid username or password, as your log shows, anonymous access isnt allowed on the server so he hasnt been getting in
So nothing here really to worry about,
If you really want to block him you can do but he could be on a dynamic IP so if he comes back a day or two later trying to login then his IP could be different and your block will be useless
Hes not getting in with an anymous account so nothing to worry about, just look through and make sure hes not trying to get in (with same IP) using other account names, example - look for
host (18.104.22.168[22.214.171.124]) - no such user 'fred'
If you start seeing thigs such as that, and if there are a large number of them then you might want to think about taking action cause he could be trying a brute force attack to try and get a valid un/pwd combo
One way to make this hard for him is to make sure none of the accounts on the ftp server have weak username and passwd combinations - set a minimum character lenght on aco**** creation and try and get people to use upper/lowercase mix aswell as numbers and other misc characters
All the best
March 10th, 2003, 07:23 AM
Thanks for the info.. Is there a way to issue a "timeout" period for someone with too many failures?
For example, I found this guy today:
Sorry for all the text, just wanted to make the point. Seems like brute force to me. If I could set a temporary time-out period for say, an hour, after "x" number of failed attempts, I think that could help.
March 10th, 2003, 01:58 PM
You can normally tell a brute force from the time stamps, if there all rediculasly close together and theres a big list like the one above (well normally bigger) then you can tell its a brute attack
As to the timeout question, not sure what ftp server software your using, but this is something that is possible
What ftp software are you using ?
Also, turning on timestamps in your config might help figure out if it is actually a brute force or just someone who has a real problem remembering there password : )
(if you run a large server (with alot of users) these timestamps will increase log file sizes so take this into account, if it is a big server you might just want to enable timestamps just for a day or so for monitoring purposes)
All the best