[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: : [cobalt-security] [RaQ4] Good logchecker.ignore file for RaQ4i
- Subject: Re: : [cobalt-security] [RaQ4] Good logchecker.ignore file for RaQ4i
- From: David Lucas <david@xxxxxxxxxxxxxxxx>
- Date: Wed, 30 Jan 2002 01:00:49 -0600
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
At 03:10 AM 1/30/2002, you wrote:
I had the exact same
issue when I ran Logcheck. I noticed that every 15 min SWATCH would open
an FTP port then close it then it would give me a mail error. I could not
figure out what it was doing. I check the FTP log and seen that no file
left or came in while SWATCH opened the port. Here is a sample
below;
Jan 28 01:00:01 www proftpd[27107]:
www.xxxx.com (localhost[127.0.0.1]) -
FTP session opened.
Jan 28 01:00:01 www proftpd[27107]:
www.xxxx.com (localhost[127.0.0.1]) -
FTP session closed.
Jan 28 01:00:03 www sendmail[27110]: NOQUEUE: localhost [127.0.0.1] did
not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
This is just a sample. This happened every 15
min. 127.0.0.1 is my loopback address. I found an entry in my crontab
file that called SWATCH every 15 min. I basically put a # in front of it,
restarted crond and everything stopped.
Can anyone shed any light on this? Other than
my log files are now quiet I have noticed no difference since I remarked
out the command
Chris Williams
The purpose of the entry is to check and see if your ftp server is
working. Duh. Where do you think the info come from in the
System Status screen of the GUI????
You can get it to stop being sent in your report by adding the following
to your logcheck.ignore file.
in.proftpd*: connect from localhost
in.proftpd.*: connect from 127.0.0.1
proftpd.*:
www.yourdomain.com(localhost*)
#replace the yourdomain with your domain
I think the first two will stop it.
I'd send my entire file, but I don't want it posted for all.