Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a server running Redhat linux 2.1, in message logs I can see some one from pedicular domain trying to login to the server. In message file all I can see is the guys domain, username, time, etc but not the IP which he is coming from. how can I find (trace) where this login is coming from ..
If you mean in active mode (still trying) set up ipchains/iptables logging rules, run tcpdump or use an IDS like Snort. If you mean passive mode then maybe the (failed) login records and services logs hold more details (depending on how much info you log of course). Probing is quite common. In any case you may want to verify the offender didn't try enter through other service(s) and use a blocking application, see http://www.linuxquestions.org/questi...tempts-340366/ for details. If that doesn't help, posting full details on what service(s) this is about, what access controls are in place and whatever info you got on the offender may help us help you better.
If you are truly being attacked, as in this is not an automated tool of some sort, then the mischievous end user is probably spoofing. More so proven by the lack of name/ip resolution. This is typically the slight of hand trick. Keep you tracking down and looking at something that doesn't really exist while a very quite and concentrated attack is happening elsewhere.
To combat this a very thorough and effective firewall with a solid IDS is usually the best chance you have a finding out what is really happening. Also I am a big fan of port knocking as a heightened measure for admin ports.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.