|
Home > Archive > IIS Server Security > December 2005 > FTP Server Logging
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
FTP Server Logging
|
|
| MikeV06 2005-11-30, 5:54 pm |
| I monitor my router and ftp logs on Server 2003. As would be expected, port
21 packets show up in both. However, I have an instance where the router
shows an incoming and outgoing packet for port 21. However, no entry was
made in the ftp log.
The router shows
Nov 29, 2005 12:25:37.302 UTC - 58.12.31.109 : 62649 >>> 192.168.1.95 :
21 - FTP Scan
Nov 29, 2005 12:25:37.302 UTC - 192.168.1.95 : 21 >>> 58.12.31.109 :
62649
The router would not generate an outgoing packet, hence the packet had to
have been generated by the server by the program listening on port 21
(ftp).
Nothing from that ip address is listed in the ftp log, the http log, the
firewall log, or the event log. I did not have a deny access entry in
directory security for that range of addresses (I do now).
Unless I am missing something, this would suggest that a packet was
processed by the ftp server but not recorded in the ftp log. How is that
possible and how to I correct it?
Thanks.
Mike.
| |
| Jeff Cochran 2005-12-06, 2:53 am |
| On 30 Nov 2005 11:57:01 -0600, MikeV06 <me@privacy.net> wrote:
>I monitor my router and ftp logs on Server 2003. As would be expected, port
>21 packets show up in both. However, I have an instance where the router
>shows an incoming and outgoing packet for port 21. However, no entry was
>made in the ftp log.
>
>The router shows
>
>Nov 29, 2005 12:25:37.302 UTC - 58.12.31.109 : 62649 >>> 192.168.1.95 :
>21 - FTP Scan
>Nov 29, 2005 12:25:37.302 UTC - 192.168.1.95 : 21 >>> 58.12.31.109 :
>62649
>
>The router would not generate an outgoing packet, hence the packet had to
>have been generated by the server by the program listening on port 21
>(ftp).
>
>Nothing from that ip address is listed in the ftp log, the http log, the
>firewall log, or the event log. I did not have a deny access entry in
>directory security for that range of addresses (I do now).
>
>Unless I am missing something, this would suggest that a packet was
>processed by the ftp server but not recorded in the ftp log. How is that
>possible and how to I correct it?
Or it's processed by another program.
Jeff
| |
| MikeV06 2005-12-06, 7:49 am |
| On Tue, 06 Dec 2005 04:49:18 GMT, Jeff Cochran wrote:
> On 30 Nov 2005 11:57:01 -0600, MikeV06 <me@privacy.net> wrote:
>
>
> Or it's processed by another program.
>
> Jeff
I have used netstat -nab and procexp to see what the system is doing and do
not see anything strange. I have not seen the pattern happen again since
the one time.
How could I monitor the port for that activity? I wish I had some of the
Linux tools ... iptables, tcpdump, and so on.
|
|
|
|
|