Detecting FTP intrusion

[packdragon]

I've begun to notice numerous attempts to anonymously connect to FTP servers. I'm new to reading FTP logs... how can I tell if an attempt was successful, and what they did while they were in? I've been searching online for a guide on how to read FTP logs, but haven't found anything useful yet. Here's a sample from one log:

03:43:46 80.135.241.18 [228]USER anonymous 331
03:43:46 80.135.241.18 [228]PASS Cgpuser@home.com 230
03:43:46 80.135.241.18 [228]MKD 030706054342p 550
08:55:03 81.248.119.86 [233]USER anonymous 331
08:55:03 81.248.119.86 [233]PASS Fgpuser@home.com 230
08:55:06 81.248.119.86 [233]MKD 030706105520p 550
16:46:47 80.145.98.49 [237]USER anonymous 331
16:46:47 80.145.98.49 [237]PASS Mgpuser@home.com 230
16:46:49 80.145.98.49 [237]MKD 030706184853p 550

If someone knows of a site where they list what these codes mean I'd be very grateful!

- Zoe, that's ZOH-EEE, get it right please
- Just a little ol' MCP at Solien Technology
-

http://www.solien.com

 

[Agentstarks]

I have the same types of attempts in my ftp logs too. I'm sure they didn't get access, but just tried to connect. I don't think there's anything I can do about these attempts. I just copy their IP and put it on the ban list.

 

[packdragon]

Ok, so how about tips on securing FTP? I read one article that says to make sure that "Allow only anonymous connections" is checked so user/password info isn't sent in clear text. But what if I don't want to allow any anonymous connections? I only want to allow specific users. This seems like a very weird trade-off. But perhaps I am just not understanding how it all works.

Anyone care to explain in detail, or give me a URL for a site where I can read about it myself?

- Zoe, that's ZOH-EEE, get it right please
- Just a little ol' MCP at Solien Technology
-

http://www.solien.com

 

[exklusve]

what are you using for your FTP?
IIS ?

eXklusve