Chae wrote: > Is it just a coincidence that the > syslogd was activated before and after attempts to access the server via > FTP?
It is a co-incidence. Also, you are misunderstanding the logcheck results. First it lists security violations, the most suspicious activity. Then it lists unusual system events which are less suspicious, but may still indicate a problem. Note that the second list *includes everything in the first list*. So you're not seeing repeated attacks, if you look more carefully at the datestamps, you're seeing the same probes in two lists - the first list picking up the "login failed" messages only, the second picking up both those, and the corresponding "FTP session closed" events. It just happens that the first thing that happens on the unusual system events list is that syslogd restarts. It does this every morning at 4am or so, depending on your setup. If you look at the timestamp of the events, you'll see that they all occur *after* the restart - this is because when syslog restarts, the log is rotated, and the logcheck is generated and sent off to you, so anything that happens before was sent to you yesterday. So just to conclude, the events aren't related, if you look at any of your previous logcheck emails, you'll see that syslogd restarting is the first "unusual system event" every time. And all these FTP attempts (connection opened, login failed, connection closed) failed to get in, and are listed twice, logcheck does not give you the whole thing in time order - look at the timestamps to work out that. Hope this helps, Stephen _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
