Solved

RedHat xinetd log question

Posted on 2002-06-03
9
655 Views
Last Modified: 2013-12-16
I have a RH 7.1 setup as a server and it uses xinetd to control many of the network services.  ]

While most of these are disabled, I'd like to have some information about failed attempts to connect to disabled ports.  Is there a logging option to xinetd that will tell me for instance that IP=x.x.x.x attempted to connect to the TELNET port or similar?

Thanks.
0
Comment
Question by:jhance
9 Comments
 
LVL 3

Expert Comment

by:DVB
ID: 7053079
If the service is disabled, then you will not have any logs from xinetd at all, since the request never reaches xinetd.
You could instead install portsentry, or write a small firewall script that denies and logs all such attempts.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7054128
do you really want to be informed about approx. 65000 ports? Then I'd use ipchains/iptables' -j LOG  to do it.
Or more complicated: use tcp.wrapper in xinetd with a logging program of your choice.
0
 
LVL 32

Author Comment

by:jhance
ID: 7054155
No, not all 65000 ports.  Only a select few.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7054244
never tried it, but using tcp.wrapper (or tcpd, or whatever RH has named it) and a home-made prog which checks with netstat -pan for the IP ...

  iptables -A INPUT -p tcp --dport xxx -j LOG --log-prefix "DROP-xxx "
  iptables -A INPUT -p tcp --dport xxx -j DROP

looks much simpler ;-)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Expert Comment

by:smisk
ID: 7075829
<a href="http://www.snort.org/">snort</a> is great at this.  Install it, mess around a bit, and then write some custom rules for it.

The basic format of the rules you will want (the manual can be found <a href="http://www.snort.org/docs/writing_rules/">here</a>) are as follows :

alert tcp any any -> 10.0.0.5 23 (msg:"Telnet traffic";)

This alerts (where it logs to is configurable) when any host and any port tries to connect to 10.0.0.5 port 23 (telnet).

0
 
LVL 1

Expert Comment

by:BigJoe1008
ID: 7078278
Very simple solution is to install Port Sentry (http://www.psionic.com/products/portsentry.html).  You can set this up to log, alert and/or block on this activity.  If you have a firewall installed (ie ipchains, iptables) PortSentry will not see any ports that you have blocked.  

--Joe
0
 
LVL 32

Author Comment

by:jhance
ID: 7078852
I haven't given up on this question.  I've just been busy with some other stuff and haven't had time to evaluate these suggestions.

0
 

Expert Comment

by:CleanupPing
ID: 9077004
jhance:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Accepted Solution

by:
drewber earned 100 total points
ID: 9220375
This question has been classified abandoned. I will make a recommendation to the moderators on its resolution in a week or two. I appreciate any comments that would help me to make a recommendation.
 

Unless it is clear to me that the question has been answered I will recommend delete. It is possible that a Grade less than A will be given if no expert makes a case for an A grade. It is assumed that any participant not responding to this request is no longer interested in its final disposition.

 
If the user does not know how to close the question, the options are here:
http://www.experts-exchange.com/help/closing.jsp
 
drewber
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now