Q: Linux secure log and last

Q: Linux secure log and last

Post by hhena.. » Thu, 13 Jan 2000 04:00:00



Hi Linux people !

Could anybody of you tell me what are exactly the contents of
the 'secure' log in /var/log, and the 'last' command result ?

They don't match.

In the secure log, I have a lot 'in.telnetd' connections that have no
corresponding entry in the 'last' result.

Do these connections mean that some people tried to log in ?

Or does it mean that these connections where made on another port than
the regular telnet port (23) ?

Thanks in advance

Henri.

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

Q: Linux secure log and last

Post by Duncan Simps » Thu, 13 Jan 2000 04:00:00



>Hi Linux people !
>Could anybody of you tell me what are exactly the contents of
>the 'secure' log in /var/log, and the 'last' command result ?

/var/log/secure records connections to your machine on ports covered
by TCP wrappers, whether or not the TCP wrappers rules allow them to
actually do anything or not (if the later the log line stays "Denied
connection to <...> to <...>").

last, aka wtmp, records sucessful login attempts and similar events
(various versions of ftpd log the start and end of sessions to wtmp).
I suspect there /var/log/<something> will shows unsuccessful login
attempts---if not then you may be cracked (this is hard to tell
without more detialed investigation).

Quote:>They don't match.
>In the secure log, I have a lot 'in.telnetd' connections that have no
>corresponding entry in the 'last' result.
>Do these connections mean that some people tried to log in ?

See above, quite possibly. If they failed then their failures will not
appear in wtmp (but appear elsewere in /var/log).

Quote:>Or does it mean that these connections where made on another port than
>the regular telnet port (23) ?

Nope, they are trying plain telnet to port 23. This probably indicates
completely klueless script kiddiez (the alternative is a backdoored
version of login). This sort of kiddie is no threat if you use good
quality passwords (i.e. restitnant to dictionary attack and kwowing
dog's name, etc).

AFAIK newer versions of RH insist on such passwords, as do many security
policies.

Duncan (-:
--
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."

 
 
 

1. secure logs of /var/log/secure

what if i change my ip and connect to a pc ? Is there any way of
identifying the pc by hardware addres.....

is there any way of changing the hardware address.....like i don't
want to change the card........i just want to mask the hardware
address.......

any help ???

2. Will Linux run on Intel Zappa or Endeavor board?

3. logging - "secure" logs don't tell me who is logging in?

4. HELP: with w32i & Shamtek monitor 800x600 in x-win

5. /var/log/secure logs telnet connects but not logins?

6. funny "hosts" problems

7. Can't get Snort to log to /var/log/secure

8. Sandbox for CGI-program

9. /var/log/secure doesn't log hostname

10. QUESTION: on /var/log/secure logging ....

11. My Linux /var/log/secure file

12. Secure Secure Secure

13. Matrox Mystique ands X.