Hi,

Can anyone tell me how to read the following 'secure' log produced by xinetd:

Apr 14 12:49:43 abc xinetd(598): START telnet pid=7057 from =xxx.xxx.xxx.xxx
Apr 14 12:49:44 abc xinetd(7057): USERID: telnet OTHER: root
Apr 14 12:49:52 abc xinetd(598): EXIT: telnet status=1 pid=7057 duration=9(sec)

Q1: Does it mean that a 'root' user of the host 'xxxx.xxx.xxx.xxx' telnet to our host 'abc'? Or, it just means that someone from the host xxxx.xxx.xxx.xxx login our host 'abc' as 'root'?

Q2: What does status=1 mean? (We normally get a status=0 instead of 1).

Q3: Is the login success or fail?

Many thanks.

Hi Franklinlam,

Unfortunately you don't have your xinetd.conf file configured correctly, so it's not logging enough info.

Go into your /etc/xinetd.d/telnet file and add the lines in the { }

log_on_success = PID HOST EXIT DURATION
log_on_failure = ATTEMPT HOST RECORD

yours probably currently just says
log_on_failure += USERID

Then next time you'll get more info.
To improve the security add the lines
only_from = 192.1.0.0/24 "i.e your subnet"
and
no_access = 213.168.23.1 "i.e the IP of that person who tried to login."

So answering your questions:

Q1. Someone telneted to your system from the Host IP address in the log.
Server didn't fail to allow access to port but looks like login was waiting. (Root is what the telnetd is running and not the login name used to login)

Q2. Not sure on the status number, but I think it means the person had to send a control break code to exit as a normal exit is status=0

Q3. Access to telnet port success, login cancelled without trying a users ID.

If they did try a few login names then your message logs whould have picked up from the the PAM logging.

Hope that answers everything.
/Raz