[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Is this coincidence or what - FTP Scans
- Subject: Re: [cobalt-security] Is this coincidence or what - FTP Scans
- From: "Stephen Rice" <support@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 17 Oct 2001 10:20:12 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Chae wrote:
> Is it just a coincidence that the
> syslogd was activated before and after attempts to access the server via
> FTP?
It is a co-incidence. Also, you are misunderstanding the logcheck results.
First it lists security violations, the most suspicious activity. Then it
lists unusual system events which are less suspicious, but may still
indicate a problem. Note that the second list *includes everything in the
first list*.
So you're not seeing repeated attacks, if you look more carefully at the
datestamps, you're seeing the same probes in two lists - the first list
picking up the "login failed" messages only, the second picking up both
those, and the corresponding "FTP session closed" events.
It just happens that the first thing that happens on the unusual system
events list is that syslogd restarts. It does this every morning at 4am or
so, depending on your setup. If you look at the timestamp of the events,
you'll see that they all occur *after* the restart - this is because when
syslog restarts, the log is rotated, and the logcheck is generated and sent
off to you, so anything that happens before was sent to you yesterday.
So just to conclude, the events aren't related, if you look at any of your
previous logcheck emails, you'll see that syslogd restarting is the first
"unusual system event" every time. And all these FTP attempts (connection
opened, login failed, connection closed) failed to get in, and are listed
twice, logcheck does not give you the whole thing in time order - look at
the timestamps to work out that.
Hope this helps,
Stephen