Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-26-2002, 03:59 PM
|
#1
|
|
Member
Registered: Jan 2002
Location: Dallas, TX
Distribution: RedHat 7.0 - Kernel 2.4.17
Posts: 95
Rep: 
|
Someone Trying?
OK, I've been looking at my logs file and someone is trying to break in my system, This is what I see:
/var/log/messages
xinetd[536]: refused connect from 217.x.x.x <-- I get several of these messages from this IP, I tried to do a nslookup but I can't find anything back, I try to ftp or telnet, but I think its from a Windows machine.
/var/log/secure
xinetd[534]: FAIL: ftp libwrap from=217.x.x.x
in.ftpd[11707]: refused connect from 217.x.x.x
What can i do to keep this guy out? What is he trying to do? What does "FAIL: ftp libwrap" mean?
Please help!!!
 |
|
|
|
|
02-26-2002, 04:26 PM
|
#2
|
|
LQ Guru
Registered: Jan 2001
Posts: 24,149
|
seems as if someone is trying to telnet or ftp into your ip, might just have the wrong ip.
unless he has a user name and account, he won't get in. you could setup your iptables or ipchains to refuse connection all together from that ip.. that would work.
|
|
|
|
|
02-26-2002, 04:28 PM
|
#3
|
|
LQ Guru
Registered: Aug 2001
Location: Dublin, Ireland
Distribution: Slackware
Posts: 5,700
Rep:
|
If he shows up against multiple daemons, its probably just a portscan of sorts. One of the easiest ways to block someone off is to stick their fully qualified hostname, or I'm certain IP will work in /etc/hosts.deny, that's if your machine is set up to use this cute little feature of inetd, which is pretty much every distro release since RedHat hit the 6's. This may not help much as most of the world runs off of dynamic IPs, so his would change.
If you're really curious about him, you may wish to install and use nmap to figure out what OS he is running, what ports he has open, blah blah blah which is probably just what he did to you.
You may also want to post this instead in the security forum as most of the regulars there don't often wander over here into Networking, and I really don't know dink about security.
Luck,
Finegan
|
|
|
|
|
02-26-2002, 04:34 PM
|
#4
|
|
Member
Registered: Jan 2002
Location: Dallas, TX
Distribution: RedHat 7.0 - Kernel 2.4.17
Posts: 95
Original Poster
Rep:
|
Thanks
Well the good thing is that I have tcpwrappers, I do have a hosts.allow and a hosts.deny. I only allow myself to ssh from my office but you never know what someone is trying to do. I thought I had clicked on the security forum but I guess I didnt click careful enough. SOrry, Should i tell the moderator to put it in the security one? And thanks for the info!
 |
|
|
|
|
02-26-2002, 04:49 PM
|
#5
|
|
LQ Guru
Registered: Aug 2001
Location: Dublin, Ireland
Distribution: Slackware
Posts: 5,700
Rep:
|
I just checked and realized that UnSpawn, who has probably forgotten more about security than I would ever care to learn, moderates this forum now too... he'll probably post in reply to this sometime shortly with some better advice, or you could ask him to re-locate the thread, or you could mail him directly about your query of course... but I'd suggest the middle route as it will keep the discussion in an open forum that people could search through later.
Double posting here is considered really improper, I feel silly now for having suggested it, thank you for politely pointing out my error.
Also, searching by "attempted and hack" through the archives brought back a ton.
Cheers,
Finegan
|
|
|
|
All times are GMT -5. The time now is 11:01 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
