LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-25-2001, 08:44 PM   #1
franklinlam
LQ Newbie
 
Registered: Apr 2001
Location: The Open University of Hong Kong
Posts: 1

Rep: Reputation: 0
Question


Hi,

Can anyone tell me how to read the following 'secure' log produced by xinetd:

Apr 14 12:49:43 abc xinetd(598): START telnet pid=7057 from =xxx.xxx.xxx.xxx
Apr 14 12:49:44 abc xinetd(7057): USERID: telnet OTHER: root
Apr 14 12:49:52 abc xinetd(598): EXIT: telnet status=1 pid=7057 duration=9(sec)

Q1: Does it mean that a 'root' user of the host 'xxxx.xxx.xxx.xxx' telnet to our host 'abc'? Or, it just means that someone from the host xxxx.xxx.xxx.xxx login our host 'abc' as 'root'?

Q2: What does status=1 mean? (We normally get a status=0 instead of 1).

Q3: Is the login success or fail?

Many thanks.

 
Old 04-27-2001, 03:53 AM   #2
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Hi Franklinlam,

Unfortunately you don't have your xinetd.conf file configured correctly, so it's not logging enough info.

Go into your /etc/xinetd.d/telnet file and add the lines in the { }

log_on_success = PID HOST EXIT DURATION
log_on_failure = ATTEMPT HOST RECORD

yours probably currently just says
log_on_failure += USERID

Then next time you'll get more info.
To improve the security add the lines
only_from = 192.1.0.0/24 "i.e your subnet"
and
no_access = 213.168.23.1 "i.e the IP of that person who tried to login."

So answering your questions:

Q1. Someone telneted to your system from the Host IP address in the log.
Server didn't fail to allow access to port but looks like login was waiting. (Root is what the telnetd is running and not the login name used to login)

Q2. Not sure on the status number, but I think it means the person had to send a control break code to exit as a normal exit is status=0

Q3. Access to telnet port success, login cancelled without trying a users ID.

If they did try a few login names then your message logs whould have picked up from the the PAM logging.

Hope that answers everything.
/Raz




 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
System Log error: xinetd -Transport endpoint is not connected then Linux - General 2 01-02-2008 08:36 AM
secure log-in jcubed LQ Suggestions & Feedback 3 08-24-2005 05:24 PM
/var/log/secure ??? MikeFoo1 Linux - Security 2 06-22-2005 03:42 AM
/var/log/secure allelopath Suse/Novell 3 02-15-2005 08:56 AM
difference between distro produced by group vs. produced by single person lostsoul Linux - General 2 04-08-2004 01:29 PM


All times are GMT -5. The time now is 03:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration