Fran?ois Conza wrote: > I receive this log by mail from my server but dont understand > In my /etc/hosts.deny i have : > -------------------------------------------- > > ALL:ALL:spawn (safe_finger -l @%h | mail -s %u-%c root) &:banners > /usr/local/etc/banners/deny > portmap: ALL
you're portmap: ALL rule will never be reached, the first line makes it redundant > This is a mail from my serveur : > -------------------------------------------- > > [212.184.103.11] > Login: operator Name: operator > Directory: /root Shell: /bin/sh > On since Mon Jan 22 08:56 (CET) on pts/0 from 212.93.151.66 > 41 minutes 26 seconds idle > No mail. > No Plan. > > -------------------------------------------- > > That this mean ? I have a back door in my serveur ? > That can i do ? No, this is what safe_finger returned, its part of the output you asked for in your hosts.deny. Some fool at 212.184.103.11 has a finger daemon running, beyond that the information isn't horribly usefull, we don't know that finger daemon is telling you the truth. If you ask me spawning safe_finger is a waste of time, it provides no trustworthy information and generally only alerts a would-be attacker to the fact you have automata that returns a probe when tickled. If you really want to use tcp_wrappers to notify of abnormal access attempts I suggest using something more like this: ALL: ALL: spawn (mail -s "%s access attempt from %h" </dev/null) & If you don't trust your resolver you should probably change %h to %a > This is an nmap on my serveur If you don't need it, don't run it. Try identifying all the processes which are using those ports using "lsof" and "netstat -taup" anything you don't need you should disable. -- Jamie Heilman http://audible.transient.net/~jamie/ "It's almost impossible to overestimate the unimportance of most things." -John Logue
