too many smtp in /var/log/secure

amedjones · 03-04-2008, 01:06 PM

hi all
i've been getting alot of smpt logs in my /var/log/secure anyone know what these entry mean?

Mar 4 09:50:26 < my ip > xinetd[19534]: START: smtp pid=12411 from=72.14.220.
158
Mar 4 09:49:36 < my ip > xinetd[19534]: START: smtp pid=12396 from=83.110.15.
135
Mar 4 09:49:24 < my ip > xinetd[19534]: START: smtp pid=12394 from=67.193.82.

i get about a 100 entry every day..seems suspicious..

unSpawn · 03-05-2008, 01:47 AM

Quote:

Originally Posted by amedjones

i've been getting alot of smpt logs in my /var/log/secure anyone know what these entry mean?

I'll counter that with some questions if you don't mind. Research those and you've got the answer:
- What is Xinetd?
- What services does it provide?
- Where are those services configured?
- What per-service logging options are available to you? What can they be configured to log?

Some questions a responsable admin could ask himself whenever auditing service logs:
- Are the IP addressess in the last field of the logs allowed to access the service?
- What per-service access restrictions are available to you?
- Why are you not using TLS or a SSL wrapper like Stunnel?

amedjones · 03-09-2008, 08:26 AM

thanks for the reply,
answers to your question
1) Xinetd managed internet connection activity
2) provides whole bunch of services than can be found on their site http://xinetd.org/#features
3) configuration resides in /etc/xinetd.d

- not sure about service access restriction, how can i found out?

My question is whether its normal to have this many request in my log. Our server does not have a script to generate smtp message. nor are my client sending massive emails every min

thanks

unSpawn · 03-09-2008, 02:13 PM

Quote:

Originally Posted by amedjones

answers to your question

The questions I asked where not meant to educate me about what Xinetd is, they where meant to give *you* insight in *your* setup. Xinetd is a superserver which means it calls other services. Knowing where those services are configured means you can read the config file linked to the service for details on what's logged and how to restrict access to that service. The "bonus" questions wrt auditing should raise questions about the accessability of the service: if those aren't allowed they probably are probing.

Quote:

Originally Posted by amedjones

not sure about service access restriction, how can i found out?

'man xinetd.conf': only_from (or no_access), also see iptables, for instance the recent module.

Quote:

Originally Posted by amedjones

My question is whether its normal to have this many request in my log.

Depends on how well protected your services are: if they are who cares? If they're not then deal with it.