> Tonight, I was watching the lights on the switch I have
> connecting my DSL line to
> my servers, and saw a prolonged, intensive activity to one of my
> machines that is
> a web server, amongst other things. During this activity, I
> telnetted in, and took
> a peek at the logs to see just what was going on.
>
> Running Apache, but no html access logged within the past few hours
> Running ftp, but no ftp access either within the past few hours
> Running Postfix, but once again, nothing -current-.
> Running RealServer, but I looked at its log, nothing recorded in
> there that was current.
> Nothing in MESSAGES, AUTH.LOG, MAIL.LOG, SECURE, XFERLOG that was recent.
>
> I am not running a nameserver on this machine. Running the basic
> stock services that
> Mandrake 7.1 sets up.
It may have been a portscan. If you're running all the standard services
that LM7.1 sets up, then you're probably quite exposed. Cut back to the bare
minimum and make sure that insecure services like telnet etc. are not
accessible via the DSL link.
I couldn't find any docs on this, but in /etc/inetd.conf you can restrict
the interfaces on which inetd services will run by using a syntax like this:
localhost@telnet stream tcp nowait root /usr/sbin/tcpd
in.telnetd
myhost@telnet stream tcp nowait root /usr/sbin/tcpd
in.telnetd
This will allow telnet access only when connecting to the loopback address,
or to the ip address that myhost resolves to (not your DSL address!).
If you haven't got some good ipchains rules in place, that should be your
next stop. ipchains can be configured so that it will log any offending
packets, and I use Psionic logcheck (http://www.psionic.com) to keep me
appraised of all interesting events in my log files.
Tony
