On Tue, 7 Nov 2000, Charles Cazabon wrote:
> Roger Walker <[EMAIL PROTECTED]> wrote:
> [...]
> > 'locals' contains "localhost", the FQDN for the host, and the
> > domain portion of the FQDN for the host.
> [...]
> > Question(s): Am I being used as a relay?
>
> Difficult to tell, since you've removed your hostname. However, I checked
> "nylon.rope.net" and it refused a very basic relay attempt. If that's the
> host you're talking about, I don't believe you're being relay-raped.
nylon.rope.net is correct. I have used one of the websites (no
info at hand) to check for relaying - it got to a certain point and said I
did (because the bounce got through) - it quit at that point, so I don't
know if there were any other tests. QMail failed at that point, I suspect,
because they don't know now qmail handles the bounce mail, which I forward
to postmaster.
> > If not, why would they stop trying to connect as soon as they were refused?
> > The sheer quantity of connect attempts says that they are up to something no
> > good, but I have no evidence of anything except their connections - nothing
> > more. Are they attempting to relay, but too stupid to check that my system
> > won't relay for them? Are they relaying, but I'm too stupid to configure
> > qmail properly? Enquiring minds want to know :-)
>
> Perhaps they're just trying to guess your root password, since you said
> they're showing up in /var/log/secure. Are they SSH-ing in? What does
> your security log actually say about that host?
The secure file shows what they are connecting to. In this case,
it is "tcp-env", and the only thing in inetd.conf using it (and the
hosts.allow file tcp-env entry) is qmail. They were definitely going for
the MTA, but I am curious to know if they might have been successful (why
else would they continue to connect?).
Should I be careful with some of the control file contents?
I periodically get incidents like this, and I'm not sure whether I
should ignore it, add them to my hosts.deny file, or change/correct my
configuration.
The one time I know I was relaying, I found a misconfiguration
(can't remember what it was now - long time ago) and corrected it
immediately, then cleaned the queues. This time there seems to be no
activity (processor use or connections showing up in netstat - other than
the one that shows up in the secure file). But they must be pretty dull if
they continue to try to relay if the system doesn't allow it - there are
several hours worth of connections...
--
Roger Walker <http://www.rat-hole.com>
Voice/Fax 1-780-440-2685 <http://www.man-from-linux.com>
"HIS Pain; YOUR Gain" <http://www.rope.net>
<http://www.rope.net/signature.html>
