Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just checked my /var/log/messages file and found 3 entries reporting IP numbers that I don't know, actually from countries with which I have absolutely no connection:
/var/log/messages.1:Jul 7 16:13:12 myhost stunnel: LOG5[1518:3061617960]: stunnel connected
from 91.92.93.94:25564
(Actual numbers changed for this post.)
There doesn't seem to be any record of successful logins from any IP except mine. Just these stunnel entries, besides many stunnel entries attributed to my IP. What do those entries mean?
After checking socket options (SO_KEEPALIVE, TCP_NODELAY right?) Stunnel checks if tcp_wrappers or Identd have objections. If all is OK then the "connected from" message is logged. So IIRCC this remote connection was not rejected. If there's any successful connection it should be correlated with log entries of the service Stunnel brokers for.
You two are losing me. I don't quite understand what you mean. I have an SSL tunnel from my notebook to my server for SMTP and POP3. But is that the same stunnel that someone else used? Or did they create another? How? I have a good password, and I use unusual ports for SSH and the SSL tunnel.
Maybe it is just a failed attempt...
Code:
Jul 7 14:26:44 myhost stunnel: LOG5[1512:3083724480]: stunnel 4.17 on i686-pc-linux-gnu with OpenSSL 0.9.8d 28 Sep 2006
Jul 7 14:26:44 myhost stunnel: LOG5[1512:3083724480]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4
Jul 7 14:26:44 myhost stunnel: LOG5[1512:3083724480]: stunnel connected from 91.92.93.94:25564
Jul 7 14:26:57 myhost stunnel: LOG5[1512:3083724480]: Connection closed: 38 bytes sent to SSL, 0 bytes sent to socket
All the strange entries have these very low data traffic numbers, ending in "0 bytes sent to socket". The ones from my legitimate IP have much, much larger numbers.
All the strange entries have these very low data traffic numbers, ending in "0 bytes sent to socket". The ones from my legitimate IP have much, much larger numbers.
That would support what anomie said about handshaking: the service didn't send anything back, hence "0 bytes sent to socket". Like I said before, correlating timestamps logs should show.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.