Tracking Remote Access

tcpd uses the authpriv facility of syslogd to log its messages. Look in the /etc/syslog.conf file to find out where your system logs authpriv messages. For example, the messages shown in Listing 12.1 are logged to /var/log/secure.

Listing 12.1: The tcpd Security Log

# cat ,

/var/log/secure

Jun

9

08:

09

owl

login: ROOT LOGIN ON tty1

Jun

9

08:

48

owl

login: LOGIN ON tty1 BY craig

Jun

11

00:

48

owl

in.telnetd[950]: connect from 172.19.50.52

Jun

11

00:

48

owl

login: LOGIN ON 1 BY craig FROM beaver.example.

org

Jun

12

01:

11

owl

in.telnetd[34 67]: connect from 127.0.0.1

Jun

12

01:

11

owl

login: LOGIN ON 2 BY craig FROM localhost

Jun

12

01:

19

owl

imapd[34 8 9]: connect from 127.0.0.1

Jun

14

10:

: 23

owl

in.telnetd[20 90]: connect from 172.19.24.1

Jun

14

10:

: 23

owl

login: LOGIN ON 1 BY craig FROM cat.example.org

Jun

15

14:

: 30

owl

in.ftpd[10201]: connect from sr1.sybex.com

Jun

16

05:

27

owl

in.rshd[6434]: connect from 172.19.60.22

Jun

17

20:

20

owl

login: ROOT LOGIN ON tty1

Jun

17

14:

54

owl

in.telnetd[1388]: connect from 172.19.50.52

Jun

17

14:

54

owl

login: LOGIN ON 2 BY craig FROM beaver.example.

org

Jun

18

14:

28

owl

in.ftpd[10190]: refused connect from 172.25.98.

2

This sample /var/log/secure file shows that not everything in this log comes from tcpd. It also contains messages for login. Combining the two messages can provide some useful insight.

The logins on June 9 are from the system console. The first message from tcpd is the telnet connection on June 11. The message tells you that someone used telnet to connect to owl from IP address 172.19.50.52. The login message that follows tells you that the person logged in as craig, and that the hostname associated with the remote IP address is beaver.example.org. If this is what you expect, there is nothing to be concerned about.

In this particular file, the message that draws our attention occurred on June 16. tcpd reports that someone accessed the system through remote shell (rshd) from IP address 172.19.60.22 on that date. The remote shell can be used to remotely execute commands on your system, so it can be a powerful tool for intruders. Most systems do not even allow remote shell. If you don't believe that remote shell is configured on your system, if you don't recognize the IP address, or if you don't understand why someone at that address would be running a remote shell to your system, you should be concerned. Watch the log to see if a pattern develops.

Of less concern is the message from June 18 that shows a failed attempt to connect to ftp. This bears watching if it occurs frequently, but it is not yet a problem because the connection was refused based on tcpd wrapper's access-control configuration.

If logging were all it did, tcpd would be a useful package. But the real power of this tool is its ability to control access to network services.

Was this article helpful?

0 0

Post a comment