Who is knocking on my door?

Zevaka2011-02-16 21:18:34

FTP

Zevaka, 2011-02-16 21:18:34

Gene6 FTP Server 3.10 is installed on the home computer. For your own needs: it is convenient to share files with loved ones, without wasting time uploading them to file hosting sites, but immediately giving a direct link. Or, when you need to receive a large file, perhaps in several sittings.
The domain is not even attached to it, access via my external ip.

About two weeks ago, incoming connections from a strange IP began to arrive constantly at an interval of five minutes. Here is a piece from the logs:

(I set the ban only for symbolism, access to FTP is still by logins and passwords. Don't be surprised about my IP, I have a router).

Could not get IP information:

This address is not routable.

Question to the connoisseurs: what could it be?
Do not be afraid to poke my nose into some elementary facts.

Answer the question

In order to leave comments, you need to log in

8 answer(s)

justrestless, 2011-02-16
@justrestless

Perhaps a bot indexing ftp files in the provider's local network.
True, it is not clear how he found you, if only by stupid enumeration by ip.

gjf, 2011-02-16
@gjf

Most likely someone on the local network with you is trying to get into your server :)

Sergey, 2011-02-16
@bondbig

This is a neighbor on the provider / peering network, most likely. Or spoofed ip. Forget it, there are thousands of bots on the Internet that do just that, that scan the networks in search of available/vulnerable services. Passwords are more complicated, if you wish, add an autoban or ips like Snort and forget about it.

Evgeny Elizarov, 2011-02-16
@KorP

I would assume that some thread is a local search for ftp servers.
I myself have such a thing every 10 minutes, I banned it a long time ago and forgot :)
In general, there are a lot of fools, fail2ban works tirelessly for me :)

Lev Lybin, 2011-02-17
@lybin

linux, white SP, constantly in the logs, unsuccessful authorization incl. ssh etc. so set up a firewall or a utility that will ban someone who has not successfully logged in several times

Zevaka, 2011-02-16
@Zevaka

Clarification: a little more details from Whois for this IP.
PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED (NET-10-0-0-0-1)
Points to IANA - Internet Assigned Numbers Authority
www.iana.org/
Doesn't look like a local neighbor :)

darkslesh, 2011-02-16
@darkslesh

Most likely these are search engines for open ports. If the IP is lit up somewhere in the open, it will be even worse.
I myself noticed a thing: no one has ever really broken into a computer. As soon as I registered his IP in one of the registered domain names, constant attempts to connect to FTP / HTTP / SSH / MySQL ports immediately began. And for a day on SSH 5-10 times from a different IP. 2-3 times a day on the MySQL port. Personally, it seems to me that they collect data for hacks. Here, people scan ranges of IP addresses in search of RDP, and then check passwords for the most popular ones, then they sell hacked servers openly on the Internet.

Nesp, 2011-02-17
@Nesp

I somehow set up an open proxy without passwords and other things on the standard port for the experiment. A day later there were a lot of many many Chinese =)
Turned it off and they were hammering at him for another two weeks.