Hi

I have a server running Redhat linux 2.1, in message logs I can see some one from pedicular domain trying to login to the server. In message file all I can see is the guys domain, username, time, etc but not the IP which he is coming from. how can I find (trace) where this login is coming from ..

Regards

If you mean in active mode (still trying) set up ipchains/iptables logging rules, run tcpdump or use an IDS like Snort. If you mean passive mode then maybe the (failed) login records and services logs hold more details (depending on how much info you log of course). Probing is quite common. In any case you may want to verify the offender didn't try enter through other service(s) and use a blocking application, see http://www.linuxquestions.org/questi...tempts-340366/ for details. If that doesn't help, posting full details on what service(s) this is about, what access controls are in place and whatever info you got on the offender may help us help you better.

Doesn't the domain resolve to the ip address ?

Hi guys thanks for the reply, by the way the name do not resolve to an ip address, thats the problem that we are having.

Best regards

If you are truly being attacked, as in this is not an automated tool of some sort, then the mischievous end user is probably spoofing. More so proven by the lack of name/ip resolution. This is typically the slight of hand trick. Keep you tracking down and looking at something that doesn't really exist while a very quite and concentrated attack is happening elsewhere.

To combat this a very thorough and effective firewall with a solid IDS is usually the best chance you have a finding out what is really happening. Also I am a big fan of port knocking as a heightened measure for admin ports.

Hi guys thanks

Best regards