IIS Server Security

Author

FTP logs

Joe

2004-07-29, 8:47 pm

Hello,

I am new to IIS FTP and been enjoying it. But I have not
yet had the time to understand what to look for in the
logs as compared to HTTP. I have seen this in the logs

16:18:31 82.83.71.242 [22]USER anonymous 331 0
16:18:31 82.83.71.242 [22]PASS Tgpuser@home.com 530 1326
17:53:39 66.237.251.142 [23]USER anonymous 331 0
17:53:39 66.237.251.142 [23]PASS IEUser@ 530 1326
17:53:41 66.237.251.142 [24]USER anonymous 331 0
17:53:41 66.237.251.142 [24]PASS IEUser@ 530 1326
17:53:49 66.237.251.142 [25]USER SUBMIT 331 0
17:53:49 66.237.251.142 [25]PASS - 230 0

I do not know who this is below. I do not have FTP set
anonymously. You have to log in. So I don't understand the
anonymous part or the assuming email address.

16:18:31 82.83.71.242 [22]USER anonymous 331 0
16:18:31 82.83.71.242 [22]PASS Tgpuser@home.com 530 1326

and I cannot tell if they were successful in logging on
an I get a quick run down on what the numbers mean [25]
[24]

and also what is a 200 and a 331 in the FTP side of IIS
6.0

Thanks
Joe

Paul Lynch

2004-07-30, 5:51 pm

On Thu, 29 Jul 2004 17:46:34 -0700, "Joe"
<anonymous@discussions.microsoft.com> wrote:

>Hello,
>
>I am new to IIS FTP and been enjoying it. But I have not
>yet had the time to understand what to look for in the
>logs as compared to HTTP. I have seen this in the logs
>
>16:18:31 82.83.71.242 [22]USER anonymous 331 0
>16:18:31 82.83.71.242 [22]PASS Tgpuser@home.com 530 1326
>17:53:39 66.237.251.142 [23]USER anonymous 331 0
>17:53:39 66.237.251.142 [23]PASS IEUser@ 530 1326
>17:53:41 66.237.251.142 [24]USER anonymous 331 0
>17:53:41 66.237.251.142 [24]PASS IEUser@ 530 1326
>17:53:49 66.237.251.142 [25]USER SUBMIT 331 0
>17:53:49 66.237.251.142 [25]PASS - 230 0
>
>
>I do not know who this is below. I do not have FTP set
>anonymously. You have to log in. So I don't understand the
>anonymous part or the assuming email address.
>
>16:18:31 82.83.71.242 [22]USER anonymous 331 0
>16:18:31 82.83.71.242 [22]PASS Tgpuser@home.com 530 1326
>
>and I cannot tell if they were successful in logging on
>an I get a quick run down on what the numbers mean [25]
>[24]
>
>and also what is a 200 and a 331 in the FTP side of IIS
>6.0
>
>Thanks
>Joe

Joe,

The FTP status codes are listed in this KB article :

IIS Status Codes
http://support.microsoft.com/?id=318380

The 530 codes in your log files indicate that the attempts to log in
using the anonymous account were unsuccessful.

As an aside, I've always wondered why the FTP service logs a 331 which
means "User name okay, need password" when someone attempts to log in
as Anonymous even if anonymous login is disabled on the server ?!?

Maybe if Alun is reading this he can shed some light on this for us...

Regards,

Paul Lynch
MCSE

Jeff Cochran

2004-07-30, 5:51 pm

On Thu, 29 Jul 2004 17:46:34 -0700, "Joe"
<anonymous@discussions.microsoft.com> wrote:

>Hello,
>
>I am new to IIS FTP and been enjoying it. But I have not
>yet had the time to understand what to look for in the
>logs as compared to HTTP. I have seen this in the logs
>
>16:18:31 82.83.71.242 [22]USER anonymous 331 0
>16:18:31 82.83.71.242 [22]PASS Tgpuser@home.com 530 1326
>17:53:39 66.237.251.142 [23]USER anonymous 331 0
>17:53:39 66.237.251.142 [23]PASS IEUser@ 530 1326
>17:53:41 66.237.251.142 [24]USER anonymous 331 0
>17:53:41 66.237.251.142 [24]PASS IEUser@ 530 1326
>17:53:49 66.237.251.142 [25]USER SUBMIT 331 0
>17:53:49 66.237.251.142 [25]PASS - 230 0
>
>
>I do not know who this is below. I do not have FTP set
>anonymously. You have to log in. So I don't understand the
>anonymous part or the assuming email address.
>
>16:18:31 82.83.71.242 [22]USER anonymous 331 0
>16:18:31 82.83.71.242 [22]PASS Tgpuser@home.com 530 1326

The 331 response is that the user is Okay, but that doesn't
necessarily mean that the user Anonymous is allowed access. The 530
is Not Logged In, basically meaning the username/password combination
isn't accepted.

>and I cannot tell if they were successful in logging on
>an I get a quick run down on what the numbers mean [25]
>[24]

>and also what is a 200 and a 331 in the FTP side of IIS
>6.0

You can check FTP reply codes at:

http://www.networksorcery.com/enp/protocol/ftp.htm

Jeff

Alun Jones [MSFT]

2004-07-30, 5:51 pm

> From: Paul Lynch <paul.lynch@nospam.com>
>
> As an aside, I've always wondered why the FTP service logs a 331 which
> means "User name okay, need password" when someone attempts to log in
> as Anonymous even if anonymous login is disabled on the server ?!?
>
> Maybe if Alun is reading this he can shed some light on this for us...

It's really a matter of personal choice by the developer of the product.
In the general case, a 331 message should be interpreted as meaning "I am
not going to tell you whether that user name is acceptable until you give
me a password, and I can try and authenticate them both", to avoid people
using the response to the USER command as a means of identifying which user
names are valid.

Some might say that the "anonymous" user is special, and pretty much "known
to exist" (but be potentially disabled), and so it's worth telling the
client early when the user is disabled, others would say that the policy of
authenticating user name and password together should apply at all times.
It's not a security issue, though, because it is the anonymous user, which
is known to be special to FTP.

Alun.
~~~~

Joe

2004-07-30, 5:51 pm

Thanks very very much guys!

Joe
>-----Original Message-----
>On Thu, 29 Jul 2004 17:46:34 -0700, "Joe"
><anonymous@discussions.microsoft.com> wrote:
>
the[vbcol=seagreen]
>
>The 331 response is that the user is Okay, but that
doesn't
>necessarily mean that the user Anonymous is allowed
access. The 530
>is Not Logged In, basically meaning the username/password
combination
>isn't accepted.
>
>
>
>You can check FTP reply codes at:
>
>http://www.networksorcery.com/enp/protocol/ftp.htm
>
>Jeff
>.
>