Re: refused connect from 'unknown'
Pere Camps <pere@casal.upc.es> writes:
> Hi!
>
> Can somebody explain me what this is?
>
> Dec 7 13:52:11 casal in.telnetd[27798]: warning: can't get client address: No route to host
> Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from unknown
>
> If my machine has a telnet request, then my machine knows the IP
> (at least) of the machine which requests it, no?
No - not if the person connecting disconnects almost instantly; what
can happen is that if the person in question opens and then closes a
connection almost instantly, the connection goes to inetd, which
accepts it, but before tcpd (which is what inetd hands telnet
connections off to, and which is the program generating these log
messages) gets the connection and finds out who's on the other end,
the connection is closed, and tcpd is left without a clue, hence the
confusing error messages.
This is usually done as part of a port scan - testing to see which
ports are accessible on your machine. There ought to be an option to
inetd to log all tcp connections before passing them off to something
else to handle, but I can see how that could get to be a hassle on a
busy machine.
On the other hand, services which are not run from inetd - for
example, apache on most machines - will know where this connection was
coming from, and many port scans hit port 80 as well as port 23.
I seem to remember some program that monitored every individual
incoming network packet and logged warning messages about suspicious
packets - I suppose someone will know how to do this with ipchains or
ip firewalling stuff.
Reply to: