On Jun 11, 1:46 pm, Y Moreno wrote:
> Several of my customers syslog files are registering thousands of
> entries like:
>
> Jun 11 08:27:18 aa500 ftpd[11458]: failed login from 211.40.52.10
> [211.40.52.10]
> Jun 11 08:27:29 aa500 last message repeated 4 times
> Jun 11 08:27:29 aa500 ftpd[11458]: repeated login failures from
> 211.40.52.10 [211.40.52.10]
>
> Most (if not all) of this ip addresses lead to
>
> inetnum: 211.40.0.0 - 211.40.255.255
> netname: BORANET-NET-211-40
> descr: DACOM Corp.
> descr: Facility-based Telecommunication Service Provider
> descr: providing Internet leased-ine, on-line service, BLL etc.
> country: KR
> admin-c: DB50-AP
> tech-c: DB50-AP
> mnt-by: APNIC-HM
> mnt-lower: MNT-KRNIC-AP
> changed: hm-chan...@apnic.net 20021025
> status: ALLOCATED PORTABLE
> source: APNIC
>
> role: DACOM BORANET
> address: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku
> address: Seoul
> country: KR
>
> Anybody else getting the same ?
>
> --
>
> Ygnacio Moreno.
>
> Please remove TheObvious from my email address to respond.

Anyone who runs any service exposed to the Internet gets lots of
interest. Sounds like your customers really, really need to harden
their systems and networks. Do they really need to accept FTP
connections from everywhere?

BTW, AFAIK China has not and has no immediate plans to annex Seoul,
Korea.

--RLR

ThreeStar wrote:
> On Jun 11, 1:46 pm, Y Moreno wrote:
>> Several of my customers syslog files are registering thousands of
>> entries like:
>>
>> Jun 11 08:27:18 aa500 ftpd[11458]: failed login from 211.40.52.10
>> [211.40.52.10]
>> Jun 11 08:27:29 aa500 last message repeated 4 times
>> Jun 11 08:27:29 aa500 ftpd[11458]: repeated login failures from
>> 211.40.52.10 [211.40.52.10]
>>
>> Most (if not all) of this ip addresses lead to
>>
>> inetnum: 211.40.0.0 - 211.40.255.255
>> netname: BORANET-NET-211-40
>> descr: DACOM Corp.
>> descr: Facility-based Telecommunication Service Provider
>> descr: providing Internet leased-ine, on-line service, BLL etc.
>> country: KR
>> admin-c: DB50-AP
>> tech-c: DB50-AP
>> mnt-by: APNIC-HM
>> mnt-lower: MNT-KRNIC-AP
>> changed: hm-chan...@apnic.net 20021025
>> status: ALLOCATED PORTABLE
>> source: APNIC
>>
>> role: DACOM BORANET
>> address: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku
>> address: Seoul
>> country: KR
>>
>> Anybody else getting the same ?
>>
>> --
>>
>> Ygnacio Moreno.
>>
>> Please remove TheObvious from my email address to respond.
>
> Anyone who runs any service exposed to the Internet gets lots of
> interest. Sounds like your customers really, really need to harden
> their systems and networks. Do they really need to accept FTP
> connections from everywhere?
>
They don't, that's why the logins failed. Then again are you suggesting
filtering ip addresses fot ftp?

> BTW, AFAIK China has not and has no immediate plans to annex Seoul,
> Korea.

Says you

>
> --RLR
>
Thanks for your answer.



--

Ygnacio Moreno.

Please remove TheObvious from my email address to respond.

In article ,
Y Moreno wrote:
>Several of my customers syslog files are registering thousands of
>entries like:
>
>Jun 11 08:27:18 aa500 ftpd[11458]: failed login from 211.40.52.10
>[211.40.52.10]
>Jun 11 08:27:29 aa500 last message repeated 4 times
>Jun 11 08:27:29 aa500 ftpd[11458]: repeated login failures from
>211.40.52.10 [211.40.52.10]
>
>Most (if not all) of this ip addresses lead to
>
>inetnum: 211.40.0.0 - 211.40.255.255
>netname: BORANET-NET-211-40
>descr: DACOM Corp.
>descr: Facility-based Telecommunication Service Provider
>descr: providing Internet leased-ine, on-line service, BLL etc.
>country: KR
>admin-c: DB50-AP
>tech-c: DB50-AP
>mnt-by: APNIC-HM
>mnt-lower: MNT-KRNIC-AP
>changed: hm-changed@apnic.net 20021025
>status: ALLOCATED PORTABLE
>source: APNIC
>
>role: DACOM BORANET
>address: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku
>address: Seoul
>country: KR
>
>Anybody else getting the same ?
>
>--
>
>Ygnacio Moreno.
>
>Please remove TheObvious from my email address to respond.

In my server log files - directly connected to a tier-1 backbone -
I've seen as high as 20,000+ attempts on some days. I have 100Mbit
links into a 40GB backbone - so things can come in quite fast
and rather furiously

They come from all over - with most from Asian countries but also
with a large amount from some European places.

On my FreeBSD servers I run 'denyhosts' which tracks the logs and
adds the IPs to a list of IPs to refuse.

It's just part of todays internet. Make sure your customers
marnines are hardened and make sure they are behind some firewall.

Bill
--
Bill Vermillion - bv @ wjv . com