[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Interpreting Log Files?

Quoting Reed Phillips <rphillips@xxxxxxxxxxxxxx>:

> Could you point me to a source that explains how to interpret log 
> files?  For instance did the following person "connect" to my 
> machine?  Is says "opened" and "connected", but also "no user found". 
> I'm not sure what this means.  I get a lot of these from Europe.
> 
> Sep  8 06:51:42 ns1 proftpd[24656]: 216.27.65.154 
> (AMetz-101-1-3-114.abo.wanadoo.fr[80.11.17.114]) - FTP session opened.
> Sep  8 06:51:41 ns1 in.proftpd[24656]: connect from 80.11.17.114
> Sep  8 06:51:42 ns1 proftpd[24656]: 216.27.65.154 
> (AMetz-101-1-3-114.abo.wanadoo.fr[80.11.17.114]) - USER anonymous: no 
> such user found from AMetz-101-1-3-114.abo.wanadoo.fr [80.11.17.114] 
> to 216.27.65.154:21

This looks fairly harmless.  A user opened an anonymous FTP session to
your FTP server.  Because your system does not have anonymous FTP enabled
(which requires a login entry in /etc/passwd for user 'ftp', for which
most FTP servers accept 'anonymous' as an alias.)   The first step is
the opening of a session with the server for authentication (this is
a TCP session to port 21.)  Your FTP server does a reverse DNS lookup
for the logging, which is why it knows it comes from Wanadoo, a popular
French ISP.  It then reports that the user tried an anonymous connection,
by trying to login as "anonymous" or "ftp".

*********************************
        Paul Gillingwater
        Managing Director
 CSO Lanifex Unternehmensberatung 
 & Softwareentwicklung G.m.b.H.
      NEW BUSINESS CONCEPTS

E-mail:  paul@xxxxxxxxxxx
Teleph:  +43(1)2198222-0
Fax:     +43(1)2198222-11
Mobile:  +43(699)1922 3085
Webhome: http://www.lanifex.com/
Address: Praterstrasse 60/1/2 
         A-1020 Vienna, Austria
*********************************