Lorn Miller wrote: > Logwatch for Sep 22 > <cut> > > vsftpd: > Unknown Entries: > authentication failure; logname= uid=0 euid=0 tty= ruser= > rhost=80.141.233.183 : 16 Time(s) > check pass; user unknown: 16 Time(s) > <cut> > Is there a local process that would do that or did someone try to get > into my ftp server 16 times? Patrick Boutilier wrote: > Somebody from 80.141.233.183 . [james@howells james]$ whois 80.14.123.183 [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Whois secondary server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html inetnum: 80.14.123.0 - 80.14.123.255 netname: IP2000-ADSL-BAS descr: BSNAN106 Nantes Bloc1 country: FR admin-c: WITR1-RIPE tech-c: WITR1-RIPE status: ASSIGNED PA remarks: for hacking, spamming or security problems send mail to remarks: postmaster@xxxxxxxxxx AND abuse@xxxxxxxxxx mnt-by: FT-BRX changed: gestionip.ft@xxxxxxxxxxxxxxxxx 20020311 changed: gestionip.ft@xxxxxxxxxxxxxxxxx 20020708 changed: gestionip.ft@xxxxxxxxxxxxxxxxx 20030318 source: RIPE I've snipped the rest: this is the important bit. Or: [james@howells james]$ dig -x 80.14.123.183 ; <<>> DiG 9.2.3 <<>> -x 80.14.123.183 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30337 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;183.123.14.80.in-addr.arpa. IN PTR ;; ANSWER SECTION: 183.123.14.80.in-addr.arpa. 172741 IN PTR ANantes-106-1-10-183.w80-14.abo.wanadoo.fr. ;; Query time: 33 msec ;; SERVER: 192.168.0.254#53(192.168.0.254) ;; WHEN: Sun Sep 26 09:10:20 2004 ;; MSG SIZE rcvd: 100 Either way, it's someone using ADSL from the Nantes area of France. If that's all you see, I'd let it be. If you have reason to believe that they're being determined or a pain in the neck, you *could* try sending all relevant logs to the abuse address mentioned. Or just permanently firewall them. James. -- E-mail address: james | So what would happen if an Enterprise security team, @westexe.demon.co.uk | who always get killed soon after appearing, fought a | squad of Imperial Stormtroopers, who can't hit the | broad side of a planet?
