Security: Messages in /var/log/secure

Security: Messages in /var/log/secure

Post by Fred Kuiper » Tue, 25 May 1999 04:00:00



Hi,

    From what I have deduced from scanning through the aforementioned
file, I presume it records all incoming connections.  Am I correct??

    Recorded in this file are several incoming connects to telnetd,
ftpd, imapd, pop3d, fingerd from ip addresses that are unfamiliar (ie, I
don't use computers with these ips).  Should I be concerned about these
connections?? Are these connections intentional or incidental?

    Here are some examples:

imapd[1041]: connect from 24.112.93.239
in.telnetd[1001]: connect from 206.145.135.10
in.telnetd[1001]: connect from 206.145.135.10

    These (contiguous) messages _especially concerned_ me:

May 15 15:14:04 in.fingerd[680]: connect from 24.112.173.186
May 15 15:14:04 in.telnetd[681]: connect from 24.112.173.186
May 15 15:14:04 imapd[682]: connect from 24.112.173.186
May 15 15:14:05 ipop3d[683]: connect from 24.112.173.186
May 15 15:14:05 in.telnetd[684]: connect from 24.112.173.186

    What can I do to get more information about these messages?? What
should I do to ensure none of these causes me a problem??

Any and all help would be appreciated!!

Sorry for _so_ many questions... but this is bugging me...

FJK

 
 
 

Security: Messages in /var/log/secure

Post by Paul Kimo » Tue, 25 May 1999 04:00:00



>    Recorded in this file are several incoming connects to telnetd,
> ftpd, imapd, pop3d, fingerd from ip addresses that are unfamiliar (ie, I
> don't use computers with these ips).  Should I be concerned about these
> connections?? Are these connections intentional or incidental?

>    Here are some examples:

> imapd[1041]: connect from 24.112.93.239
> in.telnetd[1001]: connect from 206.145.135.10
> in.telnetd[1001]: connect from 206.145.135.10

The key question is whether your system is set up to allow these
connections to succeed (usually through the inetd, tcpd, /etc/hosts.*
system).  It may be that you do not even want some of these daemons
to run.  (Is imapd the daemon that had all of those Red Hat 5.0
security problems?)

Quote:>    These (contiguous) messages _especially concerned_ me:

> May 15 15:14:04 in.fingerd[680]: connect from 24.112.173.186
> May 15 15:14:04 in.telnetd[681]: connect from 24.112.173.186
> May 15 15:14:04 imapd[682]: connect from 24.112.173.186
> May 15 15:14:05 ipop3d[683]: connect from 24.112.173.186
> May 15 15:14:05 in.telnetd[684]: connect from 24.112.173.186

24.112.173.186 (cr222868-a.ktchnr1.on.wave.home.com) is port-
scanning you, that is, connecting to a range of ports on your
machine, trying to find out what services you have open, possibly
in hopes of opening a breach.

--


 
 
 

Security: Messages in /var/log/secure

Post by Fred Kuiper » Tue, 25 May 1999 04:00:00




> >    Recorded in this file are several incoming connects to telnetd,
> > ftpd, imapd, pop3d, fingerd from ip addresses that are unfamiliar (ie, I
> > don't use computers with these ips).  Should I be concerned about these
> > connections?? Are these connections intentional or incidental?

> >    Here are some examples:

> > imapd[1041]: connect from 24.112.93.239
> > in.telnetd[1001]: connect from 206.145.135.10
> > in.telnetd[1001]: connect from 206.145.135.10

> The key question is whether your system is set up to allow these
> connections to succeed (usually through the inetd, tcpd, /etc/hosts.*
> system).  It may be that you do not even want some of these daemons
> to run.  (Is imapd the daemon that had all of those Red Hat 5.0
> security problems?)

My system is set up to work with _several_ of these services. I personally
telnet and ftp to my machine from work.  Imap is mail and pop3 is mail...
which of these do I need for sendmail to send and receive mail (both internet
and local mail)??  Finger isn't a big deal... I could probably comment it out.

Quote:

> >    These (contiguous) messages _especially concerned_ me:

> > May 15 15:14:04 in.fingerd[680]: connect from 24.112.173.186
> > May 15 15:14:04 in.telnetd[681]: connect from 24.112.173.186
> > May 15 15:14:04 imapd[682]: connect from 24.112.173.186
> > May 15 15:14:05 ipop3d[683]: connect from 24.112.173.186
> > May 15 15:14:05 in.telnetd[684]: connect from 24.112.173.186

> 24.112.173.186 (cr222868-a.ktchnr1.on.wave.home.com) is port-
> scanning you, that is, connecting to a range of ports on your
> machine, trying to find out what services you have open, possibly
> in hopes of opening a breach.

I'll keep an eye out for this one... >:-|

What is the format of the hosts.* file??

Thanks for the suggestions!!

FK

- Show quoted text -

> --


 
 
 

Security: Messages in /var/log/secure

Post by Paul Kimo » Tue, 25 May 1999 04:00:00



>  Imap is mail and pop3 is mail...
> which of these do I need for sendmail to send and receive mail (both internet
> and local mail)?

If all your mail goes in and out through sendmail, then you need
neither of these other daemons.

Quote:> What is the format of the hosts.* file??

It's all documented in the hosts_access(5) man page.

--

 
 
 

Security: Messages in /var/log/secure

Post by Matthew Baffo » Tue, 25 May 1999 04:00:00



held some poor sysadmin at gun point while typing in the following:
: My system is set up to work with _several_ of these services. I personally
: telnet and ftp to my machine from work.  Imap is mail and pop3 is mail...
: which of these do I need for sendmail to send and receive mail (both internet
: and local mail)??  Finger isn't a big deal... I could probably comment it out.

If you're only using it from work, then only allow connections from work.

Edit /etc/hosts.deny to read something like:

ALL: ALL

And then edit /etc/hosts.allow to read something like:

ALL: xxx.xxx.xxx.

Where xxx.xxx.xxx. is the first 3 bytes of your work IP.

man tcpd
man 5 hosts_access

for more info.

Doing so will limit stuff in incoming telnets, but still leaves non inetd
stuff wide open.

You might want to look into using ipfwadm or ipchains (depending on
kernel version) to control access to other daemons.

: > 24.112.173.186 (cr222868-a.ktchnr1.on.wave.home.com) is port-
: > scanning you, that is, connecting to a range of ports on your
: > machine, trying to find out what services you have open, possibly
: > in hopes of opening a breach.
:
: I'll keep an eye out for this one... >:-|


Lots of script kiddies out to cause nothing but trouble...

: FK

--Matthew

 
 
 

Security: Messages in /var/log/secure

Post by Robert Vallian » Tue, 25 May 1999 04:00:00


You might also want to try the Linux Administrators Security Guide at

https://www.seifried.org/redhat-5.x/

--
Robert Valliant
Center for Russia in Asia, University of Hawaii at Manoa
www.hawaii.edu/shaps/russia