Code: Select all
My FTP server is exposed to the outside world, so I get occasional
(always unsuccessful) user/password-guessing break-in attempts, which I
normally report to the relevant ISP. Today's attack seems to have come
from an ISP which uses carrier-grade NAT, so the source IP address does
not uniquely identify the attacker; the source _port_ number would also
be needed to do that. The ISP asked for that info, but I don't have it.
So far as I can tell, there's currently no way to get that datum into
the FTP server log. I have TCPIP$FTP_SERVER_LOG_CLIENT_BY_ADDRESS
defined, but we seem to need something like
TCPIP$FTP_SERVER_LOG_CLIENT_PORT. I'd guess that that would change a
log entry like:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 191.5.227.87 at 2-NOV-2023 06:44:34.36
to, say:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 191.5.227.87:12345 at 2-NOV-2023 06:44:34.36
Presumably, the info for the control connection would be appropriate
and adequate for the active or passive cases.
I assume that the TCPIP FTP server dates back to a time before
carrier-grade NAT became common, so the IP address alone would have been
adequate. This is the first time I've run into anyone who cares. I
know nothing about administering carrier-grade NAT, but I can see why
the port number could be useful info.
ITS $ tcpip show vers
HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.7 - ECO 5
on an HP rx2600 (1.50GHz/6.0MB) running OpenVMS V8.4-2L3
But I didn't see anything relevant in the 6.0 Management manual.