Solved

RedHat xinetd log question

Posted on 2002-06-03
9
661 Views
Last Modified: 2013-12-16
I have a RH 7.1 setup as a server and it uses xinetd to control many of the network services.  ]

While most of these are disabled, I'd like to have some information about failed attempts to connect to disabled ports.  Is there a logging option to xinetd that will tell me for instance that IP=x.x.x.x attempted to connect to the TELNET port or similar?

Thanks.
0
Comment
Question by:jhance
9 Comments
 
LVL 3

Expert Comment

by:DVB
ID: 7053079
If the service is disabled, then you will not have any logs from xinetd at all, since the request never reaches xinetd.
You could instead install portsentry, or write a small firewall script that denies and logs all such attempts.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7054128
do you really want to be informed about approx. 65000 ports? Then I'd use ipchains/iptables' -j LOG  to do it.
Or more complicated: use tcp.wrapper in xinetd with a logging program of your choice.
0
 
LVL 32

Author Comment

by:jhance
ID: 7054155
No, not all 65000 ports.  Only a select few.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 7054244
never tried it, but using tcp.wrapper (or tcpd, or whatever RH has named it) and a home-made prog which checks with netstat -pan for the IP ...

  iptables -A INPUT -p tcp --dport xxx -j LOG --log-prefix "DROP-xxx " 
  iptables -A INPUT -p tcp --dport xxx -j DROP

looks much simpler ;-)
0
 
LVL 1

Expert Comment

by:smisk
ID: 7075829
<a href="http://www.snort.org/">snort</a> is great at this.  Install it, mess around a bit, and then write some custom rules for it.

The basic format of the rules you will want (the manual can be found <a href="http://www.snort.org/docs/writing_rules/">here</a>) are as follows :

alert tcp any any -> 10.0.0.5 23 (msg:"Telnet traffic";)

This alerts (where it logs to is configurable) when any host and any port tries to connect to 10.0.0.5 port 23 (telnet).

0
 
LVL 1

Expert Comment

by:BigJoe1008
ID: 7078278
Very simple solution is to install Port Sentry (http://www.psionic.com/products/portsentry.html).  You can set this up to log, alert and/or block on this activity.  If you have a firewall installed (ie ipchains, iptables) PortSentry will not see any ports that you have blocked.  

--Joe
0
 
LVL 32

Author Comment

by:jhance
ID: 7078852
I haven't given up on this question.  I've just been busy with some other stuff and haven't had time to evaluate these suggestions.

0
 

Expert Comment

by:CleanupPing
ID: 9077004
jhance:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Accepted Solution

by:
drewber earned 100 total points
ID: 9220375
This question has been classified abandoned. I will make a recommendation to the moderators on its resolution in a week or two. I appreciate any comments that would help me to make a recommendation.
 

Unless it is clear to me that the question has been answered I will recommend delete. It is possible that a Grade less than A will be given if no expert makes a case for an A grade. It is assumed that any participant not responding to this request is no longer interested in its final disposition.

 
If the user does not know how to close the question, the options are here:
http://www.experts-exchange.com/help/closing.jsp
 
drewber
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question