LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 03-09-2006, 12:01 AM   #1
ttumelty
LQ Newbie
 
Registered: Apr 2004
Distribution: Slackware & Gentoo & Ubuntu
Posts: 22

Rep: Reputation: 15
security logs


I have a server running slackware 10.2 on the internet for software testing purposes. I suspect hacking the server has at least been attempted.

What log files do I need to use to investigate this ? How can I investigate this further than just viewing log files and possibly reverse searching on the IP address ? I am assuming all log files would be in /var/adm . I have looked at /var/adm/secure.1 and find many entries that say such as this entry :

Mar 4 15:57:49 IBMSERVER in.telnetd[2109]: connect from 200.76.242.22 (200.76.242.22)

Mar 4 15:57:49 IBMSERVER in.telnetd[2110]: connect from 200.76.242.22 (200.76.242.22)

I find it interesting that these entries seem to come in pairs to different ports from the same IP address through out the log.


Also, what does this entry mean in the message log ?

Feb 5 14:21:28 IBMSERVER -- MARK --


Thank You in advance,
Tom
 
Old 03-09-2006, 12:33 AM   #2
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Rep: Reputation: 50
Quote:
Originally Posted by ttumelty
I have looked at /var/adm/secure.1 and find many entries that say such as this entry :

Mar 4 15:57:49 IBMSERVER in.telnetd[2109]: connect from 200.76.242.22 (200.76.242.22)

Mar 4 15:57:49 IBMSERVER in.telnetd[2110]: connect from 200.76.242.22 (200.76.242.22)
Open up /etc/inetd.conf. Find a line that looks like this:

Code:
telnet	stream  tcp     nowait  root    /usr/sbin/tcpd	in.telnetd
And make it look like this:

Code:
#telnet	stream  tcp     nowait  root    /usr/sbin/tcpd	in.telnetd
Reboot. Now, if you were using telnet, learn to use ssh instead.


Quote:
Originally Posted by ttumelty
Also, what does this entry mean in the message log ?

Feb 5 14:21:28 IBMSERVER -- MARK --
Rough translation, "Hi, I'm the syslog daemon. I haven't had anything interesting to say in awhile, so I thought I'd let you know that I'm still here, working hard as always."
 
Old 03-09-2006, 12:36 AM   #3
ttumelty
LQ Newbie
 
Registered: Apr 2004
Distribution: Slackware & Gentoo & Ubuntu
Posts: 22

Original Poster
Rep: Reputation: 15
I am using ssh to connect.
 
Old 03-09-2006, 02:46 AM   #4
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 357Reputation: 357Reputation: 357Reputation: 357
Er, alright...

The unauthorized connections are going to telnet, and he described how to shutdown telnet. This has nothing to do with SSH, and won't change it's operation in any way.
 
Old 03-09-2006, 08:28 AM   #5
ttumelty
LQ Newbie
 
Registered: Apr 2004
Distribution: Slackware & Gentoo & Ubuntu
Posts: 22

Original Poster
Rep: Reputation: 15
Ok, telnet was originally enabled, then we decided to use ssh instead. I do not know if telnet port is still open. I will shutdown telnet in that case.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Which logs/commands should be checked to monitor network security & access ginda Linux - Security 1 12-17-2005 02:43 AM
Firefox logs user out? Where are error logs? case1984 Linux - General 0 10-09-2004 03:22 PM
mandrake 10 security logs chil326 Linux - Security 1 09-10-2004 07:25 PM
Separate firewall logs and general logs dominant Linux - General 3 04-20-2004 02:26 AM
Queston about logs, related to security pembo13 Linux - Security 4 09-25-2003 06:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 12:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration