LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-04-2008, 02:06 PM   #1
amedjones
LQ Newbie
 
Registered: Mar 2008
Posts: 7

Rep: Reputation: 0
too many smtp in /var/log/secure


hi all
i've been getting alot of smpt logs in my /var/log/secure anyone know what these entry mean?


Mar 4 09:50:26 < my ip > xinetd[19534]: START: smtp pid=12411 from=72.14.220.
158
Mar 4 09:49:36 < my ip > xinetd[19534]: START: smtp pid=12396 from=83.110.15.
135
Mar 4 09:49:24 < my ip > xinetd[19534]: START: smtp pid=12394 from=67.193.82.


i get about a 100 entry every day..seems suspicious..
 
Old 03-05-2008, 02:47 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by amedjones View Post
i've been getting alot of smpt logs in my /var/log/secure anyone know what these entry mean?
I'll counter that with some questions if you don't mind. Research those and you've got the answer:
- What is Xinetd?
- What services does it provide?
- Where are those services configured?
- What per-service logging options are available to you? What can they be configured to log?

Some questions a responsable admin could ask himself whenever auditing service logs:
- Are the IP addressess in the last field of the logs allowed to access the service?
- What per-service access restrictions are available to you?
- Why are you not using TLS or a SSL wrapper like Stunnel?
 
Old 03-09-2008, 09:26 AM   #3
amedjones
LQ Newbie
 
Registered: Mar 2008
Posts: 7

Original Poster
Rep: Reputation: 0
thanks for the reply,
answers to your question
1) Xinetd managed internet connection activity
2) provides whole bunch of services than can be found on their site http://xinetd.org/#features
3) configuration resides in /etc/xinetd.d


- not sure about service access restriction, how can i found out?

My question is whether its normal to have this many request in my log. Our server does not have a script to generate smtp message. nor are my client sending massive emails every min

thanks
 
Old 03-09-2008, 03:13 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by amedjones View Post
answers to your question
The questions I asked where not meant to educate me about what Xinetd is, they where meant to give *you* insight in *your* setup. Xinetd is a superserver which means it calls other services. Knowing where those services are configured means you can read the config file linked to the service for details on what's logged and how to restrict access to that service. The "bonus" questions wrt auditing should raise questions about the accessability of the service: if those aren't allowed they probably are probing.


Quote:
Originally Posted by amedjones View Post
not sure about service access restriction, how can i found out?
'man xinetd.conf': only_from (or no_access), also see iptables, for instance the recent module.


Quote:
Originally Posted by amedjones View Post
My question is whether its normal to have this many request in my log.
Depends on how well protected your services are: if they are who cares? If they're not then deal with it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Debian /var/log/secure nomb Linux - Security 5 11-11-2007 10:22 PM
/var/log/secure ??? MikeFoo1 Linux - Security 2 06-22-2005 04:42 AM
APF and /var/log/secure.1... tilt32 Linux - Security 5 03-28-2005 08:19 AM
/var/log/secure allelopath SUSE / openSUSE 3 02-15-2005 09:56 AM
/var/log/secure dragon Linux - Security 6 12-02-2003 09:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration