Julian:
Hello again! Wow, you have some interesting log files. :)
> I keep getting connection attempts on tcp port 21 from this particular
> IP address. I'm pretty sure this is someone trying to connect to an
> FTP server on my network. Incidentally, there are no FTP servers on my
> LAN.
>
> The packets come in a fixed pattern, four over a period of about 30
> seconds, then about five minutes later, a similar packet but without the
> SYN flag set appears, like this:
>
> Jan 17 07:38:28 thingeek kernel: Packet log: input DENY eth0 PROTO=6
> 202.64.203.30:41900 217.149.96.2:21 L=44 S=0x00 I=33343 F=0x0000 T=110
> SYN (#73)
> Jan 17 07:38:31 thingeek kernel: Packet log: input DENY eth0 PROTO=6
> 202.64.203.30:41900 217.149.96.2:21 L=44 S=0x00 I=35647 F=0x0000 T=110
> SYN (#73)
> Jan 17 07:38:37 thingeek kernel: Packet log: input DENY eth0 PROTO=6
> 202.64.203.
...
>
> What do you think? What action would you take?
You can see on www.incidents.org that port-21 scans are pretty
popular this month: a few days ago, scans to that port were 23-percent
of all submissions to DShield. Wow.
If I were you, I'd definitely contact the administrator of the
site. Most of the harmless scans are a one time thing; a script kiddy
knocks on your door and moves on when they find it locked. If this
person is repeatedly trying to FTP something from you...it may just
be an honest misconfiguration. IE, someone had the 217.149.96.2
address before you did, and was running an FTP server.
Good luck!
-Scott
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
