jhance
asked on
RedHat xinetd log question
I have a RH 7.1 setup as a server and it uses xinetd to control many of the network services. ]
While most of these are disabled, I'd like to have some information about failed attempts to connect to disabled ports. Is there a logging option to xinetd that will tell me for instance that IP=x.x.x.x attempted to connect to the TELNET port or similar?
Thanks.
While most of these are disabled, I'd like to have some information about failed attempts to connect to disabled ports. Is there a logging option to xinetd that will tell me for instance that IP=x.x.x.x attempted to connect to the TELNET port or similar?
Thanks.
do you really want to be informed about approx. 65000 ports? Then I'd use ipchains/iptables' -j LOG to do it.
Or more complicated: use tcp.wrapper in xinetd with a logging program of your choice.
Or more complicated: use tcp.wrapper in xinetd with a logging program of your choice.
ASKER
No, not all 65000 ports. Only a select few.
never tried it, but using tcp.wrapper (or tcpd, or whatever RH has named it) and a home-made prog which checks with netstat -pan for the IP ...
iptables -A INPUT -p tcp --dport xxx -j LOG --log-prefix "DROP-xxx "
iptables -A INPUT -p tcp --dport xxx -j DROP
looks much simpler ;-)
iptables -A INPUT -p tcp --dport xxx -j LOG --log-prefix "DROP-xxx "
iptables -A INPUT -p tcp --dport xxx -j DROP
looks much simpler ;-)
<a href="http://www.snort.org/">snort</a> is great at this. Install it, mess around a bit, and then write some custom rules for it.
The basic format of the rules you will want (the manual can be found <a href="http://www.snort.org/docs/writing_rules/">here</a>) are as follows :
alert tcp any any -> 10.0.0.5 23 (msg:"Telnet traffic";)
This alerts (where it logs to is configurable) when any host and any port tries to connect to 10.0.0.5 port 23 (telnet).
The basic format of the rules you will want (the manual can be found <a href="http://www.snort.org/docs/writing_rules/">here</a>) are as follows :
alert tcp any any -> 10.0.0.5 23 (msg:"Telnet traffic";)
This alerts (where it logs to is configurable) when any host and any port tries to connect to 10.0.0.5 port 23 (telnet).
Very simple solution is to install Port Sentry (http://www.psionic.com/products/portsentry.html). You can set this up to log, alert and/or block on this activity. If you have a firewall installed (ie ipchains, iptables) PortSentry will not see any ports that you have blocked.
--Joe
--Joe
ASKER
I haven't given up on this question. I've just been busy with some other stuff and haven't had time to evaluate these suggestions.
jhance:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could instead install portsentry, or write a small firewall script that denies and logs all such attempts.