LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-30-2003, 09:12 PM   #1
dragon
Member
 
Registered: Feb 2002
Posts: 51

Rep: Reputation: 15
/var/log/secure


I have a redhat 9 machine running ssh, samba, apache and vsftpd. I checked my /var/log/secure file, couldn't understand the following line:

Nov 20 10:02:24 dragon xinetd[928]: START: sgi_fam pid=15536 from=<no address>

It appears several times, of course with different pid. Is it a security problem?

Thanks
 
Old 12-01-2003, 12:26 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Nov 20 10:02:24 dragon xinetd[928]: START: sgi_fam pid=15536 from=<no address>
It roughly translates to: "the process named: xinetd (with PID: 928) (issued the command: START) (for xinetd service entry: sgi_fam, running with PID 15536, where the (requesting) address is unknown)"
You probably have a second line in the logs which you didn't post?


Is it a security problem?
To answer this question you should:
I. Check out what the FAM process does and if you need it,
II. Check the superserver's configuration (Xinetd in this case) for the FAM service configuration (/etc/xinetd.d/fam). It is by default restricted to only accept connections from "localhost" aka IP address 127.0.0.1,
III. Check out your /etc/hosts.deny for a line called "ALL: ALL". In cases where you do not need/want to provide services to world, this will be the only uncommented line,
IV. Check out your /etc/hosts.allow, and add the line "sgi_fam: 127.0.0.1" to explicitly allow localhost to access the FAM service,
* If that doesn't fix the problem possible workarounds are to add a "NOLIBWRAP" flag in /etc/xinetd.d/fam and change "local_only" to "true" in /etc/fam.conf.
 
Old 12-01-2003, 12:58 PM   #3
dragon
Member
 
Registered: Feb 2002
Posts: 51

Original Poster
Rep: Reputation: 15
Thanks a lot. BTW, what does FAM service do normally?
 
Old 12-01-2003, 01:06 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Thanks a lot.
Np.

BTW, what does FAM service do normally?
Here's #1 I asked you to do: Check out what the FAM process does and if you need it. Don't get accused of being "lazy" while the material is right in front of you! (besides *you* should know what's running on *your* box) so please read the manual/man/info page/package description.
 
Old 12-01-2003, 03:50 PM   #5
dragon
Member
 
Registered: Feb 2002
Posts: 51

Original Poster
Rep: Reputation: 15
Thanks again. I checked the time when this happened. It seems that every time turn on the monitor and bring up the login window it takes one record. I know xinetd is the login daemon, but don't know what FAM does here.
Where can I find what FAM does for this?
 
Old 12-01-2003, 04:46 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
How about man fam or using your package manager to see details about the fam package?
 
Old 12-02-2003, 09:45 AM   #7
dragon
Member
 
Registered: Feb 2002
Posts: 51

Original Poster
Rep: Reputation: 15
Thanks, buddy. I found I have sgi_fam service running with xinetd. Everytime I log in, I got that message.
Thanks for your help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/log/secure format Latem Linux - Security 1 07-24-2005 09:00 PM
/var/log/secure ??? MikeFoo1 Linux - Security 2 06-22-2005 04:42 AM
APF and /var/log/secure.1... tilt32 Linux - Security 5 03-28-2005 08:19 AM
/var/log/secure allelopath SUSE / openSUSE 3 02-15-2005 09:56 AM
entries in /var/log/secure zepplin611 Linux - Newbie 1 07-20-2004 06:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration