RE: [expert] The lights are on, but no one's home
> Tonight, I was watching the lights on the switch I have > connecting my DSL line to > my servers, and saw a prolonged, intensive activity to one of my > machines that is > a web server, amongst other things. During this activity, I > telnetted in, and took > a peek at the logs to see just what was going on. > > Running Apache, but no html access logged within the past few hours > Running ftp, but no ftp access either within the past few hours > Running Postfix, but once again, nothing -current-. > Running RealServer, but I looked at its log, nothing recorded in > there that was current. > Nothing in MESSAGES, AUTH.LOG, MAIL.LOG, SECURE, XFERLOG that was recent. > > I am not running a nameserver on this machine. Running the basic > stock services that > Mandrake 7.1 sets up. It may have been a portscan. If you're running all the standard services that LM7.1 sets up, then you're probably quite exposed. Cut back to the bare minimum and make sure that insecure services like telnet etc. are not accessible via the DSL link. I couldn't find any docs on this, but in /etc/inetd.conf you can restrict the interfaces on which inetd services will run by using a syntax like this: localhost@telnetstream tcp nowait root/usr/sbin/tcpd in.telnetd myhost@telnet stream tcp nowait root/usr/sbin/tcpd in.telnetd This will allow telnet access only when connecting to the loopback address, or to the ip address that myhost resolves to (not your DSL address!). If you haven't got some good ipchains rules in place, that should be your next stop. ipchains can be configured so that it will log any offending packets, and I use Psionic logcheck (http://www.psionic.com) to keep me appraised of all interesting events in my log files. Tony
Re: [expert] The lights are on, but no one's home
Try This: ping -f Whats your lights do now? Dan. - Original Message - From: Bob Puff@NLE <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 31, 2000 11:11 PM Subject: [expert] The lights are on, but no one's home > Hello, > > Tonight, I was watching the lights on the switch I have connecting my DSL line to > my servers, and saw a prolonged, intensive activity to one of my machines that is > a web server, amongst other things. During this activity, I telnetted in, and took > a peek at the logs to see just what was going on. > > Running Apache, but no html access logged within the past few hours > Running ftp, but no ftp access either within the past few hours > Running Postfix, but once again, nothing -current-. > Running RealServer, but I looked at its log, nothing recorded in there that was current. > Nothing in MESSAGES, AUTH.LOG, MAIL.LOG, SECURE, XFERLOG that was recent. > > I am not running a nameserver on this machine. Running the basic stock services that > Mandrake 7.1 sets up. > > Where should I look for more info? > > Is there a package that perhaps comes with 7.1 that is a monitoring program that I > could access via my browser? > > Bob > >
[expert] The lights are on, but no one's home
Hello, Tonight, I was watching the lights on the switch I have connecting my DSL line to my servers, and saw a prolonged, intensive activity to one of my machines that is a web server, amongst other things. During this activity, I telnetted in, and took a peek at the logs to see just what was going on. Running Apache, but no html access logged within the past few hours Running ftp, but no ftp access either within the past few hours Running Postfix, but once again, nothing -current-. Running RealServer, but I looked at its log, nothing recorded in there that was current. Nothing in MESSAGES, AUTH.LOG, MAIL.LOG, SECURE, XFERLOG that was recent. I am not running a nameserver on this machine. Running the basic stock services that Mandrake 7.1 sets up. Where should I look for more info? Is there a package that perhaps comes with 7.1 that is a monitoring program that I could access via my browser? Bob