Hi, my web server was brought online 15 days ago. I didn't even revealed its existence to the public, I still work on developping its content.

Now every day, I have 1 or two person trying to get in. They scan ports, they try to get in FTP... of course with a hosts.deny all, allow just me, they get connexion refused.
I'm able to follow their lame attempt by viewing the daemon and apache/Access logs.

I have even some who try to use my email program (exim) to relay emails !!

Is this normal in the wonderful world of webserver (sic !!) to have each day some people that try to get in your server ? Do you experience this also ? How did they get my server IP so fast ?!

Thanks,
Donov

Most of the time port scans are just random attempts by hackers and skript kiddies looking for vulnerable machines to root. Sometimes they are the result of a misconfigured box. I get scanned all the time. Usually it's no big deal if you keep your system secure.

I don't know about the ftp access attempts, but I do know that most service providers (especially the major ones, ie those that that host large bandwidth connections) will every now and then scan your ports and ping your and stuff for their own logs. Our web server here gets about 20 expected intrusions a day because our service provider pages us in different ways to give us reports on our connections, check our security, etc. Talk to your provider and see what they do...

Evil Jeff
www.hellincorporated.com (http://www.hellincorporated.com) (updated tonight!)

Hmm, same thing here. I had it up for about a week or so and some guy decided to hack away. Well, when I was getting like 100 or so guys that tried to hack a day . . . Anyways, I was using a perl script to log their IPs (who knows if they spoofed), but that doesn't do crap. Just try contacting their ISP during a DoS attack . . . <remember to breath> Hehe, seriously though, don't take it personally. Actually, it teaches you security, albeit the hard way. Anyways, good luck on securing that web server of yours.

Yes, usually 5 to 15 a day. I suspect much of this is harmless. It's easy to fat-finger an address, easy to mis-configure things, etc. I am on cable, and we are subjected to much more probing. Many are on 24X7, and it's easy to start incrementing an IP in the address space. When a new exploit script appears, it just gets wild for a couple of weeks.


------------------
ray@raymondjones.net
HTTP://www.raymondjones.net

Well, IP's wouldn;t be spoofed if they are trying to login to a service, .... they wouldn;t get the replies....

I would suggest that people configure their systems securely before they connect it to the net. better still get a firewall up and running first. and monitoring the attempt would be useful.

As for net scans, this isn't necessarily illegal, but I would monitor it, why not send the orignator some ping -r ip address, in response or something,.... better, if it's a nt box, telnet to 138 et al... lol...

In response to ISP's scanning your servers, I would recommend that they notify you that it's going to happen, they would like it if their servers were being scanned!