Re: [plhofmei@zionlth.org: SSHD Attempts to open /var/log/lastlog for RW with insufficient permissions]
Hello, I am running woody and I just logged into my machine with ssh, and my lastlog was updated. On my machine, wtmp and lastlog are user root, group utmp, and both are rw,rw,r only. Does this mean that priviledge separation is not happening on my machine or is this a difference between woody and potato? When you are logged in via ssh and type 'last' do you not see the ssh connection? Brian Flaherty -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Junkbuster cannot resolve names?
I wrote this about using junkbuster on a testing machine. > When I > try to access a page that is not on my machine, I get the message 'No > such domain: www.google.com' (for example). However, when I > try http://216.239.37.101 (google's ip), I did get the page and I was > able to search and click around a bit. But, when I clicked 'Google' > on one of their webpages (i.e., back to www.google.com), I got the 'No > such domain' message again. After playing with junkbuster somemore, I think the problem is that when started as a daemon, it is running as UID = junkbust. When I run it from a root command line, it works just fine, running as root! I am at a loss as to how I allow the user junkbust to resolve ip addresses. Can I change the group membership of the user junkbust to something else? What should it be, users? Also, what security goals am I circumventing by changing this? Thanks for any suggestions or pointers. Brian Flaherty
Re: Junkbuster cannot resolve names?
I wrote this about using junkbuster on a testing machine. > When I > try to access a page that is not on my machine, I get the message 'No > such domain: www.google.com' (for example). However, when I > try http://216.239.37.101 (google's ip), I did get the page and I was > able to search and click around a bit. But, when I clicked 'Google' > on one of their webpages (i.e., back to www.google.com), I got the 'No > such domain' message again. After playing with junkbuster somemore, I think the problem is that when started as a daemon, it is running as UID = junkbust. When I run it from a root command line, it works just fine, running as root! I am at a loss as to how I allow the user junkbust to resolve ip addresses. Can I change the group membership of the user junkbust to something else? What should it be, users? Also, what security goals am I circumventing by changing this? Thanks for any suggestions or pointers. Brian Flaherty -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim mail
Josh <[EMAIL PROTECTED]> writes: > hmmm, im a bit of a newbie here, but how do you bind a > daemon, eg telnetd to a certain nic? Try running xinetd, if you aren't already. In each service block, you can use the 'bind' option, which ties the service to a NIC's IP address. Someone please correct me if I am wrong, but I think this effectively keeps the service from listening on other interfaces. Brian
Re: Exim mail
"Daniel Rychlik" <[EMAIL PROTECTED]> writes: > How do I stop this from happening. Apparently my bud telented to port 25 > and somehow sent mail from my root account. Any suggestions, white papers > or links? Id would like to block the telnet application all together, but I > dont think thats possible. I may be wrong, but from your email headers, it looks like you are mailing from a computer connected via dsl. Are you running an smtp server for yourself (i.e., internal mail, getting mail from external source and sending via an exim smarthost) or are you actually supposed to be relaying mail for other machines? I am connected with DSL and retrieve mail from three different sources. I run fetchmail to get it and exim to send it out. Exim is configured to send mail for the localhost only and it passes it all out to my smarthost. Also, ipchains blocks all smtp traffic, except from the smarthost. And finally, I have telenetd running from xinetd.conf, but it is bound to my internal NIC, so there isn't an open telnet port on the internet. Maybe a configuration like this would work for you? Brian
Re: Exim mail
Josh <[EMAIL PROTECTED]> writes: > hmmm, im a bit of a newbie here, but how do you bind a > daemon, eg telnetd to a certain nic? Try running xinetd, if you aren't already. In each service block, you can use the 'bind' option, which ties the service to a NIC's IP address. Someone please correct me if I am wrong, but I think this effectively keeps the service from listening on other interfaces. Brian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim mail
"Daniel Rychlik" <[EMAIL PROTECTED]> writes: > How do I stop this from happening. Apparently my bud telented to port 25 > and somehow sent mail from my root account. Any suggestions, white papers > or links? Id would like to block the telnet application all together, but I > dont think thats possible. I may be wrong, but from your email headers, it looks like you are mailing from a computer connected via dsl. Are you running an smtp server for yourself (i.e., internal mail, getting mail from external source and sending via an exim smarthost) or are you actually supposed to be relaying mail for other machines? I am connected with DSL and retrieve mail from three different sources. I run fetchmail to get it and exim to send it out. Exim is configured to send mail for the localhost only and it passes it all out to my smarthost. Also, ipchains blocks all smtp traffic, except from the smarthost. And finally, I have telenetd running from xinetd.conf, but it is bound to my internal NIC, so there isn't an open telnet port on the internet. Maybe a configuration like this would work for you? Brian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Strange auth.log entry
Hello, I found this in my auth.log yesterday and I am puzzeled by it. Nov 7 00:52:56 localhost PAM_unix[4704]: authentication failure; (uid=0) -> **unknown** for passwd service I don't know how to interpret the (uid=0) -> **unknown** part. I don't think I was working as root at the time (in fact, I don't think I was working at all at the time). I know sometimes a root process switches over to nobody (for example, wwwoffle). I searched through all my past auth.log* files and did not find any other examples of this, so I don't think it is a (daily) cron job. Finally, I don't see any record of someone trying to access the machine in kern.log or the ippl log. Also, how do I find out what PAM_unix[4704] refers to? I assume 4704 is some sort of message, but I don't know where to look. I perused the libpam-doc in /usr/doc, but did not see any sections that looked like a code reference. Thanks for any thoughts or suggestions. Brian Flaherty
Strange auth.log entry
Hello, I found this in my auth.log yesterday and I am puzzeled by it. Nov 7 00:52:56 localhost PAM_unix[4704]: authentication failure; (uid=0) -> **unknown** for passwd service I don't know how to interpret the (uid=0) -> **unknown** part. I don't think I was working as root at the time (in fact, I don't think I was working at all at the time). I know sometimes a root process switches over to nobody (for example, wwwoffle). I searched through all my past auth.log* files and did not find any other examples of this, so I don't think it is a (daily) cron job. Finally, I don't see any record of someone trying to access the machine in kern.log or the ippl log. Also, how do I find out what PAM_unix[4704] refers to? I assume 4704 is some sort of message, but I don't know where to look. I perused the libpam-doc in /usr/doc, but did not see any sections that looked like a code reference. Thanks for any thoughts or suggestions. Brian Flaherty -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
St. Jude model?
Hello, Is anyone here familiar with something called the St. Jude model of root exploit detection (see http://sourceforge.net/projects/stjude)? There is a paper explaining the idea on the website, as well as a linux kernel module. It sounds like a good idea, but has anyone here used it? Brian Flaherty
St. Jude model?
Hello, Is anyone here familiar with something called the St. Jude model of root exploit detection (see http://sourceforge.net/projects/stjude)? There is a paper explaining the idea on the website, as well as a linux kernel module. It sounds like a good idea, but has anyone here used it? Brian Flaherty -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is ident secure?
I have had a lot of problems running non-Debian software when I disable ident. It seems like the licensing daemons expect to find the license over a network and so, even though the license file is probably sitting next to them in the directory, the daemon goes out the interface card, comes back in, and then gets the license. I have tried to route them through, and some do but others won't. As another example, I have to have a telnet service running for another license daemon. I am still working on this networking stuff, but right now I have everything running locally only. The respective ports are closed with ipchains and also in hosts.allow, hosts.deny, and the xinetd.conf. It sounds like we have a similar problem. I read all this stuff, "If you don't know what it is, you don't need it." and "If you don't need it, shut it down." One of the things I read said to shut off lpd. I know there have been all kinds of problems with lpd, but how do I print then? I guess the message is that balancing security and usability is the issue. -- Brian P. Flaherty -- /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Why do people do this? [Was fishingboat in root]
So, I found it in netwatch.c. Why do people create these files? I have enough to do already, without wasting time looking for the source of spurious files. static unsigned char fillmac[] = { 0, 0, 0, 0, 0, 0 }; static FILE *fish = NULL; static char fishname[] = "/root/.fishingboat"; static int fishlen = 0; static char *fishp; Could a message go in the README.Debian file in netdiag that says something to the effect of "netwatch will create a silly file, /root/.fishingboat, don't worry about it." How about on the manpage in the files section? -- Brian P. Flaherty -- /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAILand garbage files lying around / \
fishingboat in root?
Hello, This seems rather strange. I found a file called .fishingboat in my /root directory. Is anyone familiar with this? I found one page on the web so far that someone mentioned the same thing, but didn't identify where it came from. I realize it may be a sign of an intrusion, but I also spent a long time one day tracking down some files that appeared in /tmp that had names I won't type here. I tracked them down to being files created by a RH sound RPM. So, if anyone is familiar with this, I would appreciate learning about what this is. Thanks. Brian Flaherty -- /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: Is ident secure?
I have had a lot of problems running non-Debian software when I disable ident. It seems like the licensing daemons expect to find the license over a network and so, even though the license file is probably sitting next to them in the directory, the daemon goes out the interface card, comes back in, and then gets the license. I have tried to route them through, and some do but others won't. As another example, I have to have a telnet service running for another license daemon. I am still working on this networking stuff, but right now I have everything running locally only. The respective ports are closed with ipchains and also in hosts.allow, hosts.deny, and the xinetd.conf. It sounds like we have a similar problem. I read all this stuff, "If you don't know what it is, you don't need it." and "If you don't need it, shut it down." One of the things I read said to shut off lpd. I know there have been all kinds of problems with lpd, but how do I print then? I guess the message is that balancing security and usability is the issue. -- Brian P. Flaherty -- /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Why do people do this? [Was fishingboat in root]
So, I found it in netwatch.c. Why do people create these files? I have enough to do already, without wasting time looking for the source of spurious files. static unsigned char fillmac[] = { 0, 0, 0, 0, 0, 0 }; static FILE *fish = NULL; static char fishname[] = "/root/.fishingboat"; static int fishlen = 0; static char *fishp; Could a message go in the README.Debian file in netdiag that says something to the effect of "netwatch will create a silly file, /root/.fishingboat, don't worry about it." How about on the manpage in the files section? -- Brian P. Flaherty -- /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAILand garbage files lying around / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
fishingboat in root?
Hello, This seems rather strange. I found a file called .fishingboat in my /root directory. Is anyone familiar with this? I found one page on the web so far that someone mentioned the same thing, but didn't identify where it came from. I realize it may be a sign of an intrusion, but I also spent a long time one day tracking down some files that appeared in /tmp that had names I won't type here. I tracked them down to being files created by a RH sound RPM. So, if anyone is familiar with this, I would appreciate learning about what this is. Thanks. Brian Flaherty -- /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Crypto
John DOE <[EMAIL PROTECTED]> writes: > Hello everybody, > I want to have some information about what kind of cryptological benefits > does my linux server offer to me . I searched linuxdoc.org but could not find > a howo about linux cryptology. Could you please guide me to a web site or to > a documentation site where I can start from the novice level and go up to the > guru level ? First, do you mean cryptography or cryptology? According to the handy web dictionaries, cryptology is the study of cryptography or cryptanalysis. So, as you implement cryptography on your machine, you can study cryptology to really get a grasp of how it works and what the limitations are. :) Really, though there are all kinds of resources for cryptography on the web. You might try searching Linux cryptography on the web. Also, I believe there is a link to a non-US site on www.kernel.org that has kernel specific cryptography information. And last, I recall that the PGP documentation had a very good introduction to cryptography. HTH, Brian
Re: Crypto
John DOE <[EMAIL PROTECTED]> writes: > Hello everybody, > I want to have some information about what kind of cryptological benefits does my >linux server offer to me . I searched linuxdoc.org but could not find a howo about >linux cryptology. Could you please guide me to a web site or to a documentation site >where I can start from the novice level and go up to the guru level ? First, do you mean cryptography or cryptology? According to the handy web dictionaries, cryptology is the study of cryptography or cryptanalysis. So, as you implement cryptography on your machine, you can study cryptology to really get a grasp of how it works and what the limitations are. :) Really, though there are all kinds of resources for cryptography on the web. You might try searching Linux cryptography on the web. Also, I believe there is a link to a non-US site on www.kernel.org that has kernel specific cryptography information. And last, I recall that the PGP documentation had a very good introduction to cryptography. HTH, Brian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: inetd questions
Jason Thomas <[EMAIL PROTECTED]> writes: > I tried this out on my system and it works for me! > > with disabled: > Aug 19 12:58:21 imhotep xinetd[26847]: {init_services} no services. Exiting... > > without disabled: > Aug 19 12:58:38 imhotep xinetd[26856]: xinetd Version 2.1.8.8p3 started with > Aug 19 12:58:38 imhotep xinetd[26856]: libwrap > Aug 19 12:58:38 imhotep xinetd[26856]: options compiled in. > Aug 19 12:58:38 imhotep xinetd[26856]: Started working: 1 available service > > > defaults > { >disabled= amanda > } > > service amanda > { > socket_type = dgram > protocol= udp > wait= yes > user= backup > groups = yes > server = /usr/lib/amanda/amandad > bind= 192.168.11.10 > only_from = 192.168.11.2 > } > > the man page does mention putting in a 'disable = yes' option. May I ask what version of xinetd you are using? My man page does not mention 'disable=yes' anywhere. In fact, in the example xinetd.conf on the man page, rstatd is disabled in the defaults section, but there is no 'disable=yes' in the rstatd description. Thanks for your time. Brian Flaherty
Re: inetd questions
Jason Thomas <[EMAIL PROTECTED]> writes: > I tried this out on my system and it works for me! > > with disabled: > Aug 19 12:58:21 imhotep xinetd[26847]: {init_services} no services. Exiting... > > without disabled: > Aug 19 12:58:38 imhotep xinetd[26856]: xinetd Version 2.1.8.8p3 started with > Aug 19 12:58:38 imhotep xinetd[26856]: libwrap > Aug 19 12:58:38 imhotep xinetd[26856]: options compiled in. > Aug 19 12:58:38 imhotep xinetd[26856]: Started working: 1 available service > > > defaults > { >disabled= amanda > } > > service amanda > { > socket_type = dgram > protocol= udp > wait= yes > user= backup > groups = yes > server = /usr/lib/amanda/amandad > bind= 192.168.11.10 > only_from = 192.168.11.2 > } > > the man page does mention putting in a 'disable = yes' option. May I ask what version of xinetd you are using? My man page does not mention 'disable=yes' anywhere. In fact, in the example xinetd.conf on the man page, rstatd is disabled in the defaults section, but there is no 'disable=yes' in the rstatd description. Thanks for your time. Brian Flaherty -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strangelog
Rudy Gevaert <[EMAIL PROTECTED]> writes: > Hello, > > This weekend I got a strange log: > > Unusual System Events > =-=-=-=-=-=-=-=-=-=-= > Aug 11 06:25:03 alhandra su[3584]: + ??? root-nobody > Aug 11 06:25:03 alhandra PAM_unix[3584]: (su) session opened for user > nobody by > +(uid=0) I also saw this recently when SAS (a statistics package) opened up a TCP port to listen for data shares. Since noticing it, I have seen it several more times for other tasks, like the cron jobs mentioned earlier. -- Brian P. Flaherty /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: strangelog
Rudy Gevaert <[EMAIL PROTECTED]> writes: > Hello, > > This weekend I got a strange log: > > Unusual System Events > =-=-=-=-=-=-=-=-=-=-= > Aug 11 06:25:03 alhandra su[3584]: + ??? root-nobody > Aug 11 06:25:03 alhandra PAM_unix[3584]: (su) session opened for user > nobody by > +(uid=0) I also saw this recently when SAS (a statistics package) opened up a TCP port to listen for data shares. Since noticing it, I have seen it several more times for other tasks, like the cron jobs mentioned earlier. -- Brian P. Flaherty /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: inetd questions
Alvin Oga <[EMAIL PROTECTED]> writes: > to tighten your sever > - comment out all entries in inetd.conf... > or xinet.d/* should have "disable=yes" Hello, I just tried the above in my xinetd.conf and I get errors. That is, I put 'disable = yes' in service sections. I also tried 'disabled', but received the same messages. Aug 18 13:22:37 c119756-b xinetd[27786]: Starting soft reconfiguration Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=58] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=73] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=85] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=97] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=109] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=121] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=133] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=145] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=157] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=169] I am following this up because I have also posted a question about 'disabled =' in the defaults section of xinetd.conf. Are these version differences? I am using xinetd Version 2.1.8.8p3 from stable/potato. Thanks for any thoughts or suggestions. Brian Flaherty -- /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
disabled in xinetd doesn't work?
Hello, I have spent a fair amount of time trying to limit access to my desktop. One thing I have done is switched over to xinetd and I have moved most services into xinetd.conf. Aug 18 11:03:48 c119756-b xinetd[27786]: xinetd Version 2.1.8.8p3 started with Aug 18 11:03:48 c119756-b xinetd[27786]: libwrap Aug 18 11:03:48 c119756-b xinetd[27786]: options compiled in. Aug 18 11:03:48 c119756-b xinetd[27786]: Started working: 16 available services One of the things I have tried is to use the disabled= keyword in the default section, but it doesn't seem to work. Above is part of daemon.log when I start xinetd and here is the defaults section of xinetd.conf: # This file generated by xconv.pl, included with the xinetd # package. xconv.pl was written by Rob Braun ([EMAIL PROTECTED]) [...] # The defaults section sets some information for all services defaults { #The maximum number of requests a particular service may handle # at once. instances = 10 # The type of logging. This logs to a file that is specified. # Another option is: SYSLOG syslog_facility [syslog_level] log_type= FILE /var/log/servicelog # What to log when the connection succeeds. # PID logs the pid of the server processing the request. # HOST logs the remote host's ip address. # USERID logs the remote user (using RFC 1413) # EXIT logs the exit status of the server. # DURATION logs the duration of the session. log_on_success = PID # What to log when the connection fails. Same options as above log_on_failure = HOST RECORD # Deny everything # Commented out because I don't know how it works with oidentd only_from = # The maximum number of connections a specific IP address can # have to a specific service. per_source = 5 # Internally disabled disabled = time daytime chargen discard servers services xadmin } [It goes on from here...] Any idea why this is not working? As with other questions I have had concerning my use of Debian, I am trying to do this, while maintaining compatability with the package system. Thanks for any suggestions. Brian Flaherty -- /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: inetd questions
Alvin Oga <[EMAIL PROTECTED]> writes: > to tighten your sever > - comment out all entries in inetd.conf... > or xinet.d/* should have "disable=yes" Hello, I just tried the above in my xinetd.conf and I get errors. That is, I put 'disable = yes' in service sections. I also tried 'disabled', but received the same messages. Aug 18 13:22:37 c119756-b xinetd[27786]: Starting soft reconfiguration Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=58] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=73] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=85] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=97] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=109] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=121] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=133] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=145] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=157] Aug 18 13:22:37 c119756-b xinetd[27786]: bad attribute: disable [line=169] I am following this up because I have also posted a question about 'disabled =' in the defaults section of xinetd.conf. Are these version differences? I am using xinetd Version 2.1.8.8p3 from stable/potato. Thanks for any thoughts or suggestions. Brian Flaherty -- /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
disabled in xinetd doesn't work?
Hello, I have spent a fair amount of time trying to limit access to my desktop. One thing I have done is switched over to xinetd and I have moved most services into xinetd.conf. Aug 18 11:03:48 c119756-b xinetd[27786]: xinetd Version 2.1.8.8p3 started with Aug 18 11:03:48 c119756-b xinetd[27786]: libwrap Aug 18 11:03:48 c119756-b xinetd[27786]: options compiled in. Aug 18 11:03:48 c119756-b xinetd[27786]: Started working: 16 available services One of the things I have tried is to use the disabled= keyword in the default section, but it doesn't seem to work. Above is part of daemon.log when I start xinetd and here is the defaults section of xinetd.conf: # This file generated by xconv.pl, included with the xinetd # package. xconv.pl was written by Rob Braun ([EMAIL PROTECTED]) [...] # The defaults section sets some information for all services defaults { #The maximum number of requests a particular service may handle # at once. instances = 10 # The type of logging. This logs to a file that is specified. # Another option is: SYSLOG syslog_facility [syslog_level] log_type= FILE /var/log/servicelog # What to log when the connection succeeds. # PID logs the pid of the server processing the request. # HOST logs the remote host's ip address. # USERID logs the remote user (using RFC 1413) # EXIT logs the exit status of the server. # DURATION logs the duration of the session. log_on_success = PID # What to log when the connection fails. Same options as above log_on_failure = HOST RECORD # Deny everything # Commented out because I don't know how it works with oidentd only_from = # The maximum number of connections a specific IP address can # have to a specific service. per_source = 5 # Internally disabled disabled = time daytime chargen discard servers services xadmin } [It goes on from here...] Any idea why this is not working? As with other questions I have had concerning my use of Debian, I am trying to do this, while maintaining compatability with the package system. Thanks for any suggestions. Brian Flaherty -- /"\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]