Re: Strange logs for connection
Fran?ois Conza wrote:
> I receive this log by mail from my server but dont understand
> In my /etc/hosts.deny i have :
> --------------------------------------------
>
> ALL:ALL:spawn (safe_finger -l @%h | mail -s %u-%c root) &:banners /usr/local/etc/banners/deny
> portmap: ALL
you're portmap: ALL rule will never be reached, the first line makes it
redundant
> This is a mail from my serveur :
> --------------------------------------------
>
> [212.184.103.11]
> Login: operator Name: operator
> Directory: /root Shell: /bin/sh
> On since Mon Jan 22 08:56 (CET) on pts/0 from 212.93.151.66
> 41 minutes 26 seconds idle
> No mail.
> No Plan.
>
> --------------------------------------------
>
> That this mean ? I have a back door in my serveur ?
> That can i do ?
No, this is what safe_finger returned, its part of the output you asked for
in your hosts.deny. Some fool at 212.184.103.11 has a finger daemon
running, beyond that the information isn't horribly usefull, we don't know
that finger daemon is telling you the truth. If you ask me spawning
safe_finger is a waste of time, it provides no trustworthy information and
generally only alerts a would-be attacker to the fact you have automata
that returns a probe when tickled.
If you really want to use tcp_wrappers to notify of abnormal access
attempts I suggest using something more like this:
ALL: ALL: spawn (mail -s "%s access attempt from %h" </dev/null) &
If you don't trust your resolver you should probably change %h to %a
> This is an nmap on my serveur
If you don't need it, don't run it. Try identifying all the processes
which are using those ports using "lsof" and "netstat -taup" anything you
don't need you should disable.
--
Jamie Heilman http://audible.transient.net/~jamie/
"It's almost impossible to overestimate the unimportance of most things."
-John Logue
Reply to: