[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

RedHat xinetd log question

Posted on 2002-06-03
9
Medium Priority
?
671 Views
Last Modified: 2013-12-16
I have a RH 7.1 setup as a server and it uses xinetd to control many of the network services.  ]

While most of these are disabled, I'd like to have some information about failed attempts to connect to disabled ports.  Is there a logging option to xinetd that will tell me for instance that IP=x.x.x.x attempted to connect to the TELNET port or similar?

Thanks.
0
Comment
Question by:jhance
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 3

Expert Comment

by:DVB
ID: 7053079
If the service is disabled, then you will not have any logs from xinetd at all, since the request never reaches xinetd.
You could instead install portsentry, or write a small firewall script that denies and logs all such attempts.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7054128
do you really want to be informed about approx. 65000 ports? Then I'd use ipchains/iptables' -j LOG  to do it.
Or more complicated: use tcp.wrapper in xinetd with a logging program of your choice.
0
 
LVL 32

Author Comment

by:jhance
ID: 7054155
No, not all 65000 ports.  Only a select few.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 51

Expert Comment

by:ahoffmann
ID: 7054244
never tried it, but using tcp.wrapper (or tcpd, or whatever RH has named it) and a home-made prog which checks with netstat -pan for the IP ...

  iptables -A INPUT -p tcp --dport xxx -j LOG --log-prefix "DROP-xxx " 
  iptables -A INPUT -p tcp --dport xxx -j DROP

looks much simpler ;-)
0
 
LVL 1

Expert Comment

by:smisk
ID: 7075829
<a href="http://www.snort.org/">snort</a> is great at this.  Install it, mess around a bit, and then write some custom rules for it.

The basic format of the rules you will want (the manual can be found <a href="http://www.snort.org/docs/writing_rules/">here</a>) are as follows :

alert tcp any any -> 10.0.0.5 23 (msg:"Telnet traffic";)

This alerts (where it logs to is configurable) when any host and any port tries to connect to 10.0.0.5 port 23 (telnet).

0
 
LVL 1

Expert Comment

by:BigJoe1008
ID: 7078278
Very simple solution is to install Port Sentry (http://www.psionic.com/products/portsentry.html).  You can set this up to log, alert and/or block on this activity.  If you have a firewall installed (ie ipchains, iptables) PortSentry will not see any ports that you have blocked.  

--Joe
0
 
LVL 32

Author Comment

by:jhance
ID: 7078852
I haven't given up on this question.  I've just been busy with some other stuff and haven't had time to evaluate these suggestions.

0
 

Expert Comment

by:CleanupPing
ID: 9077004
jhance:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Accepted Solution

by:
drewber earned 400 total points
ID: 9220375
This question has been classified abandoned. I will make a recommendation to the moderators on its resolution in a week or two. I appreciate any comments that would help me to make a recommendation.
 

Unless it is clear to me that the question has been answered I will recommend delete. It is possible that a Grade less than A will be given if no expert makes a case for an A grade. It is assumed that any participant not responding to this request is no longer interested in its final disposition.

 
If the user does not know how to close the question, the options are here:
http://www.experts-exchange.com/help/closing.jsp
 
drewber
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question