LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-28-2003, 05:53 AM   #1
jack101
LQ Newbie
 
Registered: Aug 2003
Posts: 11

Rep: Reputation: 0
Help with Logwatch/Logsentry messages


I have picked out below some typical messages I receive from Logwatch and Logsentry. Do they mean that the access attempt from 64.246.62.35 failed?

From Logwatch:
--- Connections (secure-log) Begin ---
Connections:
Service ftp:
64.246.62.35: 2 Time(s)
--- Connections (secure-log) End ---

From Logsentry:
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Aug 27 02:35:49 plain proftpd[13354]: plain.rackshack.net (64.246.62.35[64.246.62.35]) - FTP session opened.
Aug 27 02:35:49 plain proftpd[13354]: plain.rackshack.net (64.246.62.35[64.246.62.35]) - FTP session closed.
Aug 27 02:43:02 plain proftpd[13357]: plain.rackshack.net (64.246.62.35[64.246.62.35]) - FTP session opened.
Aug 27 02:43:12 plain proftpd[13357]: plain.rackshack.net (64.246.62.35[64.246.62.35]) - FTP session closed.
Aug 27 02:35:49 plain xinetd[3726]: START: ftp pid=13354 from=64.246.62.35
Aug 27 02:43:02 plain xinetd[3726]: START: ftp pid=13357 from=64.246.62.35

I normally get quite a number of this type of message daily, from different IP addresses - is this anything to worry about?

Thanks, Jack.
 
Old 08-28-2003, 06:21 AM   #2
jack101
LQ Newbie
 
Registered: Aug 2003
Posts: 11

Original Poster
Rep: Reputation: 0
Sorry, posted the wrong entries above, the ones I meant to post are below. I wanted to know, foir example, whether the following indicated that access from, say 81.56.162.174 definately failed?
In my post above does it mean that access was definately successful? If I have a number, or even one of these should I be worried?

From Logswatch:
--- proftpd-messages Begin ---
**Unmatched Entries**
plain.rackshack.net (lns-p19-8-81-56-162-174.adsl.proxad.net[81.56.162.174]) - no such user 'anonymous'
plain.rackshack.net (12-211-55-212.client.attbi.com[12.211.55.212]) - no such user 'anonymous'
--- proftpd-messages End ---
--- Connections (secure-log) Begin ---
Connections:
Service ftp:
12.211.55.212: 1 Time(s)
24.201.60.202: 1 Time(s)
81.56.162.174: 1 Time(s)
203.196.153.232: 1 Time(s)
207.19.101.162: 1 Time(s)
217.81.180.168: 1 Time(s)
--- Connections (secure-log) End ---

From Logsentry:
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=

Aug 26 05:52:07 plain proftpd[12674]: plain.rackshack.net (12-211-55-212.client.attbi.com[12.211.55.212]) - FTP session opened.
Aug 26 05:52:07 plain proftpd[12674]: plain.rackshack.net (12-211-55-212.client.attbi.com[12.211.55.212]) - no such user 'anonymous'
Aug 26 05:52:07 plain proftpd[12674]: plain.rackshack.net (12-211-55-212.client.attbi.com[12.211.55.212]) - FTP session closed.
Aug 26 05:52:07 plain xinetd[3726]: START: ftp pid=12674 from=12.211.55.212
Aug 26 05:52:07 plain proftpd[12674]: plain.rackshack.net (12-211-55-212.client.attbi.com[12.211.55.212]) - USER anonymous: no such user found from 12-211-55-212.client.attbi.com [12.211.55.212] to 66.98.132.90:21
 
Old 09-03-2003, 07:49 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,359
Blog Entries: 55

Rep: Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546
I wanted to know, foir example, whether the following indicated that access from, say 81.56.162.174 definately failed?
I agree it's not that clear. I'd say it does say it failed, because you do not allow anonymous access.

If you find remote users bothering you, just block their IP. If you know what IP's/ranges you want to allow FTP traffic from you could block all access and allow only FTP traffic from those addresses/ranges.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 06:39 PM
/var/log/messages full of these messages. Should I be concerned? mdavis Linux - Security 5 04-16-2004 10:08 AM
LogWatch error messages XT8088 Red Hat 0 09-10-2003 07:04 PM
syslog and firestarter - log messages to another file than messages mule Linux - Newbie 0 08-07-2003 03:35 AM
LogWatch vs. LogSentry (and security) Cynthia Blue Linux - Newbie 1 12-19-2002 03:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration