Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 04-25-2001, 09:44 PM   #1
LQ Newbie
Registered: Apr 2001
Location: The Open University of Hong Kong
Posts: 1

Rep: Reputation: 0


Can anyone tell me how to read the following 'secure' log produced by xinetd:

Apr 14 12:49:43 abc xinetd(598): START telnet pid=7057 from
Apr 14 12:49:44 abc xinetd(7057): USERID: telnet OTHER: root
Apr 14 12:49:52 abc xinetd(598): EXIT: telnet status=1 pid=7057 duration=9(sec)

Q1: Does it mean that a 'root' user of the host '' telnet to our host 'abc'? Or, it just means that someone from the host login our host 'abc' as 'root'?

Q2: What does status=1 mean? (We normally get a status=0 instead of 1).

Q3: Is the login success or fail?

Many thanks.

Old 04-27-2001, 04:53 AM   #2
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Hi Franklinlam,

Unfortunately you don't have your xinetd.conf file configured correctly, so it's not logging enough info.

Go into your /etc/xinetd.d/telnet file and add the lines in the { }

log_on_success = PID HOST EXIT DURATION
log_on_failure = ATTEMPT HOST RECORD

yours probably currently just says
log_on_failure += USERID

Then next time you'll get more info.
To improve the security add the lines
only_from = "i.e your subnet"
no_access = "i.e the IP of that person who tried to login."

So answering your questions:

Q1. Someone telneted to your system from the Host IP address in the log.
Server didn't fail to allow access to port but looks like login was waiting. (Root is what the telnetd is running and not the login name used to login)

Q2. Not sure on the status number, but I think it means the person had to send a control break code to exit as a normal exit is status=0

Q3. Access to telnet port success, login cancelled without trying a users ID.

If they did try a few login names then your message logs whould have picked up from the the PAM logging.

Hope that answers everything.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
System Log error: xinetd -Transport endpoint is not connected then Linux - General 2 01-02-2008 09:36 AM
secure log-in jcubed LQ Suggestions & Feedback 3 08-24-2005 06:24 PM
/var/log/secure ??? MikeFoo1 Linux - Security 2 06-22-2005 04:42 AM
/var/log/secure allelopath SUSE / openSUSE 3 02-15-2005 09:56 AM
difference between distro produced by group vs. produced by single person lostsoul Linux - General 2 04-08-2004 02:29 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:04 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration