>Hi Linux people !
>Could anybody of you tell me what are exactly the contents of
>the 'secure' log in /var/log, and the 'last' command result ?
/var/log/secure records connections to your machine on ports covered
by TCP wrappers, whether or not the TCP wrappers rules allow them to
actually do anything or not (if the later the log line stays "Denied
connection to <...> to <...>").
last, aka wtmp, records sucessful login attempts and similar events
(various versions of ftpd log the start and end of sessions to wtmp).
I suspect there /var/log/<something> will shows unsuccessful login
attempts---if not then you may be cracked (this is hard to tell
without more detialed investigation).
Quote:>They don't match.
>In the secure log, I have a lot 'in.telnetd' connections that have no
>corresponding entry in the 'last' result.
>Do these connections mean that some people tried to log in ?
See above, quite possibly. If they failed then their failures will not
appear in wtmp (but appear elsewere in /var/log).
Quote:>Or does it mean that these connections where made on another port than
>the regular telnet port (23) ?
Nope, they are trying plain telnet to port 23. This probably indicates
completely klueless script kiddiez (the alternative is a backdoored
version of login). This sort of kiddie is no threat if you use good
quality passwords (i.e. restitnant to dictionary attack and kwowing
dog's name, etc).
AFAIK newer versions of RH insist on such passwords, as do many security
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."