[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] LogCheck (whutzit mean?), IPChains & PS
- Subject: [cobalt-security] LogCheck (whutzit mean?), IPChains & PS
- From: "Troy Arnold" <cobaltuser@xxxxxxxxxxx>
- Date: Thu, 02 Aug 2001 20:52:07 +0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi all. Long-time skulker, first-time poster so please excuse my ignorance.
Linux-newbie but capable and familiar with most of the in?s and out?s as
discussed throughout the list in the past two months.
I continually keep my RAQ up-to-date, have updated Pop-Before-SMTP,
installed SSH, MySQL and am serving databases. About two-months ago I
started getting security savvy. Per list past articles I installed logchk,
ran chkrootkit (all clear) and proceeded to install portsentry and ipchains.
We also run GUI admin through SSL. On those last two I don?t think I have
everything congifured properly. I was afraid to lock myself out so
implemented no rules in IPChains. To be honest I have been putting that off.
I am pretty sure my question will require making changes to these programs
conf files but not sure where to start. Of course my root password is
different than admin (we change those monthly now) and telnet is turned off.
I have reviewed the how-tos but was hoping someone would have a basic
security setting walk through? perhaps, please? I swear I looked through the
archives and apologize if this question has already been answered (as I am
sure it has).
Now to my main question?
At times I think I understand my logcheck reports but most of the time I am
winging it. I know there are attempted accesses (hopefully only attempts)
but am not sure how to identify and address these issues (Ipchains in
rc.deny? and if so how?).
Is there a url out there that defines what these log reports actually are or
pertain to? As stated I understand most of them, but some are so esoteric?
Some of my questionable log report follows?
Security Violations
=-=-=-=-=-=-=-=-=-=
The following record is regularly repeated (all of the attempts change their
emails regularly, except for the michaelg@xxxxxxxxxxxxxxx) and I assume some
is attempting to utilize this email. What do I do to deal with this? I know
it is being denied but??
Aug 1 04:15:07 www sendmail[2281]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Aug 1 04:20:31 www sendmail[2635]: f71BKV602635: ruleset=check_rcpt,
arg1=<michaelg@xxxxxxxxxxxxxxx>, relay=[211.108.240.2], reject=450 4.7.1
<michaelg@xxxxxxxxxxxxxxx>... Relaying temporarily denied. Cannot resolve
PTR record for 211.108.240.2
Aug 1 05:30:03 www sendmail[5497]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Aug 1 05:34:31 www sendmail[5677]: f71CYV605677: ruleset=check_mail,
arg1=<online2success@xxxxxxxxx>, relay=ns.ssbiobio.co.cl [208.197.136.99],
reject=501 5.1.8 <online2success@xxxxxxxxx>... Domain of sender address
online2success@xxxxxxxxx does not existAug 1 19:59:19 www sendmail[10894]:
f722xJ610894: ruleset=check_mail, arg1=<guardian@xxxxxxxxxxxxxxxxxxx>,
relay=[66.115.19.36], reject=501 5.1.8 <guardian@xxxxxxxxxxxxxxxxxxx>...
Domain of sender address guardian@xxxxxxxxxxxxxxxxxxx does not exist
Don?t understand this one at all?
Aug 1 05:45:03 www sendmail[6094]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Don?t understand this either as all DNS services are operational?
Aug 1 08:55:14 www sendmail[14657]: gethostbyaddr(xx.xx.xxx.xxx) failed: 1
Aug 1 08:55:14 www sendmail[14657]: gethostbyaddr(xx.xx.xxx.xxy) failed: 1
Aug 1 08:55:14 www sendmail[14657]: gethostbyaddr(xx.xx.xxx.xxz) failed: 1
Aug 1 08:55:14 www sendmail[14660]: gethostbyaddr(xx.xx.xxx.xxx) failed: 1
Aug 1 08:55:14 www sendmail[14660]: gethostbyaddr(xx.xx.xxx.xxy) failed: 1
Aug 1 08:55:14 www sendmail[14660]: gethostbyaddr(xx.xx.xxx.xxz) failed: 1
Aug 1 08:55:15 www sendmail[14663]: gethostbyaddr(xx.xx.xxx.xxx) failed: 1
Aug 1 08:55:15 www sendmail[14663]: gethostbyaddr(xx.xx.xxx.xxy) failed: 1
Aug 1 08:55:15 www sendmail[14663]: gethostbyaddr(xx.xx.xxx.xxz) failed: 1
Aug 1 08:55:15 www sendmail[14666]: gethostbyaddr(xx.xx.xxx.xxx) failed: 1
Aug 1 08:55:15 www sendmail[14666]: gethostbyaddr(xx.xx.xxx.xxy) failed: 1
Etc? I get these errors throughout the log at different times.
I am mainly concerned with the following log reports?
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Aug 1 01:11:37 www named[1773]: Cleaned cache of 74 Rrsets
Aug 1 01:11:37 www named[1773]: USAGE 996653497 995365510 CPU=44.67u/70.72s
CHILDCPU=0u/0s
Aug 1 01:11:37 www named[1773]: NSTATS Buncha Numbers Here 0=1 A=32099
CNAME=216 SOA=165 PTR=39284 MX=5406 TXT=17 AAAA=89 38=16 ANY=14046
Aug 1 01:11:37 www named[1773]: XSTATS Buncha Numbers Here RR=19498
RNXD=1829 RFwdR=12473 RDupR=45 RFail=80 RFErr=0 RErr=103 RAXFR=0 RLame=421
ROpts=0 SSysQ=5662 SAns=90738 SFwdQ=11095 SDupQ=1050 SErr=0 RQ=91797 RIQ=7
RFwdQ=11095 RDupQ=58 RTCP=42 SFwdR=12473 SFail=2 SFErr=0 SNaAns=17069
SNXD=5437 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
more different stuff, raq checking every 15 minutes for ftp services, etc?
Get this often, is this a CNAME exploit?
Aug 1 01:42:49 www named[1773]: ns_forw: query(85.197.241.203.in-addr.arpa)
NS points to CNAME (ns.kren.ne.kr:) learnt
(CNAME=211.216.50.150:NS=202.12.28.131)
Aug 1 01:42:50 www named[1773]: Lame server on
'85.197.241.203.in-addr.arpa' (in '241.203.in-addr.arpa'?):
[211.216.50.150].53 'ns.kornet.ne.kr'
Aug 1 01:42:50 www proftpd[27864]: xx.xx.xxx.xxx
(media.dongeui.ac.kr[203.241.197.85]) - FTP session opened.
Aug 1 01:42:50 www proftpd[27863]: xx.xx.xxx.xx1
(media.dongeui.ac.kr[203.241.197.85]) - FTP session opened.
Aug 1 01:42:50 www proftpd[27859]: xx.xx.xxx.xx2
(media.dongeui.ac.kr[203.241.197.85]) - FTP session opened.
Aug 1 01:42:50 www proftpd[27860]: xx.xx.xxx.xx3
(media.dongeui.ac.kr[203.241.197.85]) - FTP session opened.
Aug 1 01:42:50 www proftpd[27865]: xx.xx.xxx.xx4
(media.dongeui.ac.kr[203.241.197.85]) - FTP session opened.
Aug 1 01:42:50 www proftpd[27869]: xx.xx.xxx.xx5
(media.dongeui.ac.kr[203.241.197.85]) - FTP session opened.
Aug 1 01:42:51 www proftpd[27864]: xx.xx.xxx.xxx
(media.dongeui.ac.kr[203.241.197.85]) - FTP session closed.
Aug 1 01:42:51 www proftpd[27859]: xx.xx.xxx.xx1
(media.dongeui.ac.kr[203.241.197.85]) - FTP session closed.
Aug 1 01:42:51 www proftpd[27860]: xx.xx.xxx.xx2
(media.dongeui.ac.kr[203.241.197.85]) - FTP session closed.
Aug 1 01:42:51 www proftpd[27862]: xx.xx.xxx.xx3
(media.dongeui.ac.kr[203.241.197.85]) - FTP session opened.
Aug 1 01:42:51 www proftpd[27865]: xx.xx.xxx.xx7
(media.dongeui.ac.kr[203.241.197.85]) - FTP session closed.
Aug 1 01:42:51 www proftpd[27869]: xx.xx.xxx.xx4
(media.dongeui.ac.kr[203.241.197.85]) - FTP session closed.
Aug 1 01:42:51 www proftpd[27862]: xx.xx.xxx.xx5
Etc.., this continued on for awhile. This comes and goes.
I apologize in advance for this lengthy post. I have been holding in a lot
of questions while I figured out the issues from researching the
"incredible" archives. Any input would be invaluable and of course helpful
and put my mind at ease.
Just another ?Internet Appliance? user who thought it would simple and then
started having fun with Linux.
Thanks in advance,
Troy, CobaltUser@xxxxxxxxxxx
PS Try Beamish and Harp... alot of true Irish prefer it for its smoother
flavor. Over here in Lake Tahoe, CA you can get it just about any grocery.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp