Ok I just got my new dedicated server online. And everyone morning I get an email from port sentry regarding attacks on my server. Since I am new to dedicated this is kinda alarming. I contacted my host and basically they informed me that it is normal. Kinda at ease becuase I noticed that for every attack port sentry reported an ignore because the ip was blocked. However I noticed today that ftp sessions were opened. The ip address in one opening seems to be from level3 (one of my backbones) however the other seems to be from adsl in england.

Here is part of the report (and there is more a lot more)

Aug 16 02:17:50 host proftpd[13292]: host (213.8.128.112[213.8.128.112]) - FTP session opened.
Aug 16 02:17:50 host proftpd[13293]: host (213.8.128.112[213.8.128.112]) - FTP session opened.
Aug 16 02:17:50 host proftpd[13294]: host (213.8.128.112[213.8.128.112]) - FTP session opened.
Aug 16 02:17:57 host proftpd[13295]: host (213.8.128.112[213.8.128.112]) - FTP session opened.
Aug 16 02:17:57 host proftpd[13296]: host (213.8.128.112[213.8.128.112]) - FTP session opened.
Aug 16 02:17:57 host proftpd[13297]: 64.156.2.94 (213.8.128.112[213.8.128.112]) - FTP session opened.
Aug 16 02:17:57 host proftpd[13298]: 64.156.2.95 (213.8.128.112[213.8.128.112]) - FTP session opened.
Aug 16 02:17:57 host proftpd[13299]: 64.156.2.96 (213.8.128.112[213.8.128.112]) - FTP session opened.
Aug 16 02:17:57 host proftpd[13300]: 64.156.2.97 (213.8.128.112[213.8.128.112]) - FTP session opened.
Aug 16 02:17:57 host proftpd[13301]: 64.156.2.98 (213.8.128.112[213.8.128.112]) - FTP session opened.
Aug 16 02:17:57 host proftpd[13302]: 64.156.2.99 (213.8.128.112[213.8.128.112]) - FTP session opened.

Are these actually compromises because I know I was not on those hours. And I noticed the actual blocked attacks are next to nothing now. If they are attacks what should I do, I really just started transferring accounts so there really isn't anything on there yet...

you could try opening a shell and typing

last

it will list all of the successful logins (ftp and shell) to the server

shorty

Dont worry about them, its just (usually) a compromised box scanning for more box's that could be then rooted..

Dont worry about it, just make sure your server is secure..

All programs all up to date etc :0)

Craig

That may also be a monitoring software your NOC is using for monitoring the server. Those are nothing to worry about.

The first part of the "attack alert" message is what to watch. You should see somthing like:

Jul 25 13:24:07 xxxxx portsentry[571]: attackalert: Connect from host: 209.69.83.214/209.69.83.214 to TCP port: 111
Jul 25 13:24:07 xxxxx portsentry[571]: attackalert: Host 209.69.83.214 has been blocked via wrappers with string: "ALL: 209.69.83.214"
Jul 25 13:24:07 xxxxx portsentry[571]: attackalert: Host 209.69.83.214 has been blocked via dropped route using command: "/sbin/route add -host 209.69.83.214 gw 127.0.0.1"
Jul 25 13:24:07 xxxxx portsentry[571]: attackalert: Connect from host: 209.69.83.214/209.69.83.214 to TCP port: 111
Jul 25 13:24:07 xxxxx portsentry[571]: attackalert: Host: 209.69.83.214 is already blocked. Ignoring

This shows you the IP of the host trying to get your server, then the blocking enrty...then on the remainder of the hits that it is being ignored as it has already been blocked.

Hope this helps :)