Query on FTP ?probe?

Discussion in 'Computer Support' started by Harvey Van Sickle, Dec 4, 2003.

  1. I'm relatively new to ftp stuff, so this is, I hope, a simple question
    -- just trying to get things in perspective.

    I run an "occasionally-on" ftp server to transfer files to clients and
    my brother, using Pablo Vandermeer's "Quick 'n' Easy FTP server" (a
    good freeware program -- if I can make this stuff work, anybody can).

    All access is username/password only -- no "anonymous" logon -- and I
    only turn it on if I know someone is likely to need it.

    So: it's been running today for a client to download some images, and
    I left it on this evening. I just looked at the log, and saw that my
    guys pulled down what they needed, disconnecting at about 17:45 local
    time (which is also GMT).

    In addition, though, the log showed a connection at 21:45 from
    210.52.12.17, which immediately disconnected; no username or passwords
    were offered or requested. Sticking that adddress into the browser, it
    comes up with www.codentnetworks.com -- a Chinese site.

    Questions:

    1. Am I right in assuming that this is probing for Port 21 ftp
    servers, and that it disconnected because it was trying to logon as
    "anonymous"?

    2. Does this happen a lot if you run a password-accessed ftp server?

    3. Were they likely to establish anything other than the fact that
    there was a "anonymous-logon-blocked" server at this address?

    4. Do I need to do anything other than keep access closed with
    username/password control?

    I'm on an always-on cable connection; single, standalone PC; running
    ZoneAlarm.


    --
    Cheers, Harvey

    For e-mail, change harvey to whhvs.
     
    Harvey Van Sickle, Dec 4, 2003
    #1
    1. Advertising

  2. Harvey Van Sickle

    Rob K Guest

    "Harvey Van Sickle" a formulé ce Thursday :
    <snip>
    >
    > Questions:
    >
    > 1. Am I right in assuming that this is probing for Port 21 ftp
    > servers, and that it disconnected because it was trying to logon as
    > "anonymous"?
    >
    > 2. Does this happen a lot if you run a password-accessed ftp server?
    >
    > 3. Were they likely to establish anything other than the fact that
    > there was a "anonymous-logon-blocked" server at this address?
    >
    > 4. Do I need to do anything other than keep access closed with
    > username/password control?
    >
    > I'm on an always-on cable connection; single, standalone PC; running
    > ZoneAlarm.


    FWIW from my limited experience:
    1) Yes in most cases
    2) Hard to tell, but I've seen similar things
    3) Depends on the sort of probe, methinks.
    4) No, if you're satisfied the FTP server has decent security.

    --
    My E-mail address in ROT-13:
     
    Rob K, Dec 4, 2003
    #2
    1. Advertising

  3. Harvey Van Sickle

    °Mike° Guest

    There are bots and trojans out there searching for
    open ports all of the time. It sounds like normal
    background traffic to me.

    Don't leave the server running unnecessarily, and
    block port 21 to unknown programs and protocols.


    On Thu, 04 Dec 2003 22:24:50 GMT, in
    <Xns9447E401A505Fwhhvans@62.253.162.115>
    Harvey Van Sickle scrawled:

    >I'm relatively new to ftp stuff, so this is, I hope, a simple question
    >-- just trying to get things in perspective.
    >
    >I run an "occasionally-on" ftp server to transfer files to clients and
    >my brother, using Pablo Vandermeer's "Quick 'n' Easy FTP server" (a
    >good freeware program -- if I can make this stuff work, anybody can).
    >
    >All access is username/password only -- no "anonymous" logon -- and I
    >only turn it on if I know someone is likely to need it.
    >
    >So: it's been running today for a client to download some images, and
    >I left it on this evening. I just looked at the log, and saw that my
    >guys pulled down what they needed, disconnecting at about 17:45 local
    >time (which is also GMT).
    >
    >In addition, though, the log showed a connection at 21:45 from
    >210.52.12.17, which immediately disconnected; no username or passwords
    >were offered or requested. Sticking that adddress into the browser, it
    >comes up with www.codentnetworks.com -- a Chinese site.
    >
    >Questions:
    >
    >1. Am I right in assuming that this is probing for Port 21 ftp
    >servers, and that it disconnected because it was trying to logon as
    >"anonymous"?
    >
    >2. Does this happen a lot if you run a password-accessed ftp server?
    >
    >3. Were they likely to establish anything other than the fact that
    >there was a "anonymous-logon-blocked" server at this address?
    >
    >4. Do I need to do anything other than keep access closed with
    >username/password control?
    >
    >I'm on an always-on cable connection; single, standalone PC; running
    >ZoneAlarm.


    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, Dec 4, 2003
    #3
  4. On 04 Dec 2003, Rob K wrote

    > "Harvey Van Sickle" a formulé ce Thursday :


    ><snip questions and answers 1-3>



    > 4) No, if you're satisfied the FTP server has decent security.


    Many thanks.

    I think it's secure enough -- it needs username and password, and the
    IP address is technically dynamic (it changed twice in the last couple
    of months, but the last was after a DNS outage).

    I'll look into selective blocking of Port 21, as suggested by Mike.

    --
    Cheers,
    Harvey

    For e-mail, change harvey to whhvs.
     
    Harvey Van Sickle, Dec 4, 2003
    #4
  5. On 04 Dec 2003, °Mike° wrote

    > There are bots and trojans out there searching for
    > open ports all of the time. It sounds like normal
    > background traffic to me.
    >
    > Don't leave the server running unnecessarily, and
    > block port 21 to unknown programs and protocols.


    Thanks; I'll try that.

    I'll have to research how to block unknown programs and protocols; at
    the moment, I thought it was enough to block access to anyone without a
    username, password and knowledge of the current IP address.

    (My IP address is sort of semi-dynamic: it's changed twice over the
    past few months, but the second one was after an ISP problem -- it
    usually stays static for a few months).

    --
    Cheers, Harvey

    My questions were:
    >>
    >> 1. Am I right in assuming that this is probing for Port 21 ftp
    >> servers, and that it disconnected because it was trying to logon
    >> as "anonymous"?
    >>
    >> 2. Does this happen a lot if you run a password-accessed ftp
    >> server?
    >>
    >> 3. Were they likely to establish anything other than the fact
    >> that there was a "anonymous-logon-blocked" server at this
    >> address?
    >>
    >> 4. Do I need to do anything other than keep access closed with
    >> username/password control?
    >>
    >> I'm on an always-on cable connection; single, standalone PC;
    >> running ZoneAlarm.
     
    Harvey Van Sickle, Dec 4, 2003
    #5
  6. Harvey Van Sickle

    Rob K Guest

    "Harvey Van Sickle" a présenté l'énoncé suivant :
    > On 04 Dec 2003, Rob K wrote
    >

    <snip>
    >
    > I'll look into selective blocking of Port 21, as suggested by Mike.


    You're welcome.

    --
    My E-mail address in ROT-13:
     
    Rob K, Dec 4, 2003
    #6
  7. Harvey Van Sickle

    °Mike° Guest

    On Thu, 04 Dec 2003 23:00:00 GMT, in
    <Xns9447E9F7D5118whhvans@62.253.162.115>
    Harvey Van Sickle scrawled:

    >On 04 Dec 2003, °Mike° wrote
    >
    >> There are bots and trojans out there searching for
    >> open ports all of the time. It sounds like normal
    >> background traffic to me.
    >>
    >> Don't leave the server running unnecessarily, and
    >> block port 21 to unknown programs and protocols.

    >
    >Thanks; I'll try that.
    >
    >I'll have to research how to block unknown programs and protocols; at
    >the moment, I thought it was enough to block access to anyone without a
    >username, password and knowledge of the current IP address.
    >
    >(My IP address is sort of semi-dynamic: it's changed twice over the
    >past few months, but the second one was after an ISP problem -- it
    >usually stays static for a few months).


    You're welcome.

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, Dec 5, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary
    Replies:
    0
    Views:
    439
  2. Harry

    Re: Best place for temperature probe?

    Harry, Aug 15, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    520
    anthonyberet
    Aug 16, 2003
  3. h2so4

    Re: Best place for temperature probe?

    h2so4, Aug 15, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    462
    h2so4
    Aug 15, 2003
  4. Andrew Givins

    Life found on Titan by Huygens Probe!!!

    Andrew Givins, Jan 15, 2005, in forum: Computer Support
    Replies:
    15
    Views:
    765
    chrisv
    Jan 18, 2005
  5. Pete

    Web Server Probe Confusion

    Pete, Dec 3, 2004, in forum: Computer Security
    Replies:
    3
    Views:
    3,865
Loading...

Share This Page