ftp server question

i have a ftp server (filezilla server) on my system.

i get, almost everyday. someone trying to log on to my server as admin,
administrator. etc. using a dictionary attack.

i have looked up, with whois were they are from and tried informing their
isp about the attack.

most of the time, i get a message from them telling me that they need the
log with times. also my gmt.
source ip and port, destination ip and port.

which i give them all but the source port. (if the wanted to, they could
look the info up without it.)

which comes to my question.

is there a ftp server that logs source ip and port and destination ip and
port.
also the logon name and password would also be nice.

or, getting this info is just a wast of time, for most isp do not care about
hackers.

i really do not want to put a sniffer on my system and log every packet that
comes into/out of my system just to not get the message from stupid isp
people.

Peter

Peter wrote:
> i have a ftp server (filezilla server) on my system.
> [...]
> is there a ftp server that logs source ip and port and destination ip
> and port. also the logon name and password would also be nice.

FileZilla Server does so.

> or, getting this info is just a wast of time, for most isp do not
> care about hackers.

True, true.

Sebastian Gottschalk

"Sebastian Gottschalk" <> wrote in message
news:...
> Peter wrote:
>> i have a ftp server (filezilla server) on my system.
>> [...]
>> is there a ftp server that logs source ip and port and destination ip
>> and port. also the logon name and password would also be nice.
>
> FileZilla Server does so.

that is why i use filezilla, because it logs name and password.

>
>> or, getting this info is just a wast of time, for most isp do not
>> care about hackers.
>
> True, true.

for normal attacks that people do. i gave up on infoing isp. was getting the
same stuff from them.
so for that. i am using the program from dshield.org
it takes the info from the firewall/router firewall and send it to them each
hour. they want that log.

Peter

"Peter" <> writes:

> i have a ftp server (filezilla server) on my system.
>
> i get, almost everyday. someone trying to log on to my server as admin,
> administrator. etc. using a dictionary attack.
>
> i have looked up, with whois were they are from and tried informing their
> isp about the attack.
>
> most of the time, i get a message from them telling me that they need the
> log with times. also my gmt.
> source ip and port, destination ip and port.
>
> which i give them all but the source port. (if the wanted to, they could
> look the info up without it.)
>
> which comes to my question.
>
> is there a ftp server that logs source ip and port and destination ip and
> port.
> also the logon name and password would also be nice.

I thought you already had all that?

Hadron Quark

"Hadron Quark" <> wrote in message
news:...
> "Peter" <> writes:
>
>> i have a ftp server (filezilla server) on my system.
>>
>> i get, almost everyday. someone trying to log on to my server as admin,
>> administrator. etc. using a dictionary attack.
>>
>> i have looked up, with whois were they are from and tried informing their
>> isp about the attack.
>>
>> most of the time, i get a message from them telling me that they need the
>> log with times. also my gmt.
>> source ip and port, destination ip and port.
>>
>> which i give them all but the source port. (if the wanted to, they could
>> look the info up without it.)
>>
>> which comes to my question.
>>
>> is there a ftp server that logs source ip and port and destination ip and
>> port.
>> also the logon name and password would also be nice.
>
> I thought you already had all that?

i have everything but the source port. all others is known.
so, is there a ftp server, that also gives the source port in the log.

Peter

Peter wrote:

> i have a ftp server (filezilla server) on my system.
>
> i get, almost everyday. someone trying to log on to my server as admin,
> administrator. etc. using a dictionary attack.
>
> i have looked up, with whois were they are from and tried informing their
> isp about the attack.
>
> most of the time, i get a message from them telling me that they need the
> log with times. also my gmt.
> source ip and port, destination ip and port.
>
> which i give them all but the source port. (if the wanted to, they could
> look the info up without it.)
>
> which comes to my question.
>
> is there a ftp server that logs source ip and port and destination ip and
> port.
> also the logon name and password would also be nice.
>
> or, getting this info is just a wast of time, for most isp do not care about
> hackers.
>
> i really do not want to put a sniffer on my system and log every packet that
> comes into/out of my system just to not get the message from stupid isp
> people.
>
>
>
>


My log file became more of a problem than the attempts (which failed
because there IS NO "administrator" account). The log file just took up
a lot of space and by the time I could use it to try to report the
buggers it was useless for anything else!

And if I report it to China, will they do anything? No. The users are
in coffee shops and university connections and move along so they are
impossible to trace.

Rick Merrill

Sebastian Gottschalk <> wrote in news:4g26t0F1lffn8U2
@news.dfncis.de:

> Peter wrote:
>> i have a ftp server (filezilla server) on my system.
>> [...]
>> is there a ftp server that logs source ip and port and destination ip
>> and port. also the logon name and password would also be nice.
>
> FileZilla Server does so.
>
>> or, getting this info is just a wast of time, for most isp do not
>> care about hackers.
>
> True, true.
>



I run Serv-u and it can log everything.

Regards,

nemo_outis

"Peter" <> wrote:

> i have a ftp server (filezilla server) on my system.
>
> i get, almost everyday. someone trying to log on to my server as
> admin, administrator. etc. using a dictionary attack.

Welcome to the Internet. If you thing you have problems, try running an
SMTP or SSH server. FTP servers are relatively 'low priority" targets
these days.

> i have looked up, with whois were they are from and tried informing
> their isp about the attack.

You're investing a lot of effort for little or no return. About one in
a few hundred ISP's will even respond, and of those that do only a tiny
percentage will be anything but an auto-responder.

> most of the time, i get a message from them telling me that they need
> the log with times. also my gmt.
> source ip and port, destination ip and port.
>
> which i give them all but the source port. (if the wanted to, they
> could look the info up without it.)

No they couldn't. Source port is the port the "attacker" is connecting
from. Destination port is the port on your machine they're connecting
to. If you're going to waste time complaining, please cooperate with
the few-and-far-between admins that will actually address the problems.
Or they're quickly become admins who won't.

> which comes to my question.
>
> is there a ftp server that logs source ip and port and destination ip
> and port.
> also the logon name and password would also be nice.

Every competent FTP server does as far as I know, if they're configured
correctly. I don't know anything about this Filezilla thing though. If
it doesn't, then the next best thing, hell maybe even the better thing,
is to have a firewall or IDS standing in the stream logging everything.

> or, getting this info is just a wast of time, for most isp do not
> care about hackers.

Most ISP's care I'd imagine, but they're so overrun with this sort of
**** there's not much they can do. Even if they investigate every
complaint, a good portion will lead to another innocent victim and no
further.

If you're running a server of any type you can expect to be probed.
Most of it's automatic. As long as you're seeing the probes, you're
probably in good shape. When they suddenly evaporate for no apparent
reason it's a good indication one of them has succeded, and an attacker
is erasing your logs or reconfiguring your detection methods.

> i really do not want to put a sniffer on my system and log every
> packet that comes into/out of my system just to not get the message
> from stupid isp people.

Why not? Just having a "sniffer" on your system doesn't mean you have
to log everything. Set it to watch the open FTP port and ignore the
rest. A *good* firewall will allow you to do exactly that. Log all
connection attempts to a specific port, while rejecting established
connections and activity on other ports.

You should already be running a firewall. If you're not, you've got a
death wish. If it doesn't let you adjust your log levels and such
you need a different firewall.

Borked Pseudo Mailed

i have put the server serv-u on the system.

have turned on the option of locking out if several attempt is made to logon
with x seconds.
just forget about telling isp about the hackers.


"nemo_outis" <> wrote in message
news:Xns97EB6FE78EE10abcxyzcom@127.0.0.1...
> Sebastian Gottschalk <> wrote in news:4g26t0F1lffn8U2
> @news.dfncis.de:
>
>> Peter wrote:
>>> i have a ftp server (filezilla server) on my system.
>>> [...]
>>> is there a ftp server that logs source ip and port and destination ip
>>> and port. also the logon name and password would also be nice.
>>
>> FileZilla Server does so.
>>
>>> or, getting this info is just a wast of time, for most isp do not
>>> care about hackers.
>>
>> True, true.
>>
>
>
>
> I run Serv-u and it can log everything.
>
> Regards,
>
>

Peter

Borked Pseudo Mailed wrote:
> "Peter" <> wrote:
>
>
>>i have a ftp server (filezilla server) on my system.
>>
>>i get, almost everyday. someone trying to log on to my server as
>>admin, administrator. etc. using a dictionary attack.
>
>
> Welcome to the Internet. If you thing you have problems, try running an
> SMTP or SSH server. FTP servers are relatively 'low priority" targets
> these days.
>
>
>>i have looked up, with whois were they are from and tried informing
>>their isp about the attack.
>
>
> You're investing a lot of effort for little or no return. About one in
> a few hundred ISP's will even respond, and of those that do only a tiny
> percentage will be anything but an auto-responder.
>
>
>>most of the time, i get a message from them telling me that they need
>>the log with times. also my gmt.
>>source ip and port, destination ip and port.
>>
>>which i give them all but the source port. (if the wanted to, they
>>could look the info up without it.)
>
>
> No they couldn't. Source port is the port the "attacker" is connecting
> from. Destination port is the port on your machine they're connecting
> to. If you're going to waste time complaining, please cooperate with
> the few-and-far-between admins that will actually address the problems.
> Or they're quickly become admins who won't.
>
>
>>which comes to my question.
>>
>>is there a ftp server that logs source ip and port and destination ip
>>and port.
>>also the logon name and password would also be nice.
>
>
> Every competent FTP server does as far as I know, if they're configured
> correctly. I don't know anything about this Filezilla thing though. If
> it doesn't, then the next best thing, hell maybe even the better thing,
> is to have a firewall or IDS standing in the stream logging everything.
>
>
>>or, getting this info is just a wast of time, for most isp do not
>>care about hackers.
....

Maybe you can tell us HOW these attackers find the IP numbers of systems
that are running FTP (or others services) ???

Rick Merrill