Solved

RedHat xinetd log question

Posted on 2002-06-03
9
665 Views
Last Modified: 2013-12-16
I have a RH 7.1 setup as a server and it uses xinetd to control many of the network services.  ]

While most of these are disabled, I'd like to have some information about failed attempts to connect to disabled ports.  Is there a logging option to xinetd that will tell me for instance that IP=x.x.x.x attempted to connect to the TELNET port or similar?

Thanks.
0
Comment
Question by:jhance
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 3

Expert Comment

by:DVB
ID: 7053079
If the service is disabled, then you will not have any logs from xinetd at all, since the request never reaches xinetd.
You could instead install portsentry, or write a small firewall script that denies and logs all such attempts.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7054128
do you really want to be informed about approx. 65000 ports? Then I'd use ipchains/iptables' -j LOG  to do it.
Or more complicated: use tcp.wrapper in xinetd with a logging program of your choice.
0
 
LVL 32

Author Comment

by:jhance
ID: 7054155
No, not all 65000 ports.  Only a select few.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 7054244
never tried it, but using tcp.wrapper (or tcpd, or whatever RH has named it) and a home-made prog which checks with netstat -pan for the IP ...

  iptables -A INPUT -p tcp --dport xxx -j LOG --log-prefix "DROP-xxx " 
  iptables -A INPUT -p tcp --dport xxx -j DROP

looks much simpler ;-)
0
 
LVL 1

Expert Comment

by:smisk
ID: 7075829
<a href="http://www.snort.org/">snort</a> is great at this.  Install it, mess around a bit, and then write some custom rules for it.

The basic format of the rules you will want (the manual can be found <a href="http://www.snort.org/docs/writing_rules/">here</a>) are as follows :

alert tcp any any -> 10.0.0.5 23 (msg:"Telnet traffic";)

This alerts (where it logs to is configurable) when any host and any port tries to connect to 10.0.0.5 port 23 (telnet).

0
 
LVL 1

Expert Comment

by:BigJoe1008
ID: 7078278
Very simple solution is to install Port Sentry (http://www.psionic.com/products/portsentry.html).  You can set this up to log, alert and/or block on this activity.  If you have a firewall installed (ie ipchains, iptables) PortSentry will not see any ports that you have blocked.  

--Joe
0
 
LVL 32

Author Comment

by:jhance
ID: 7078852
I haven't given up on this question.  I've just been busy with some other stuff and haven't had time to evaluate these suggestions.

0
 

Expert Comment

by:CleanupPing
ID: 9077004
jhance:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Accepted Solution

by:
drewber earned 100 total points
ID: 9220375
This question has been classified abandoned. I will make a recommendation to the moderators on its resolution in a week or two. I appreciate any comments that would help me to make a recommendation.
 

Unless it is clear to me that the question has been answered I will recommend delete. It is possible that a Grade less than A will be given if no expert makes a case for an A grade. It is assumed that any participant not responding to this request is no longer interested in its final disposition.

 
If the user does not know how to close the question, the options are here:
http://www.experts-exchange.com/help/closing.jsp
 
drewber
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Fine Tune your automatic Updates for Ubuntu / Debian
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question