On Tue, 23 Nov 1999, Devin Vo wrote:
> I think I have someone attempting to break into my Linux box. I see these
> messages in /var/log/messages
>
> "Nov 22 19:03:54 telnetd[2786]: ttloop: read: Connection reset by peer"
>
> I don't think he got in but I like to know what this message means.
>
> Thanks
I also have here a Linux box made by Cobalt Microsystems.
It has a monitoring software that tests every so many
minutes for the working of the various components, such
as the ftp server, the telnet server, the POP3 server,
IMAP and so on. In other words, the monitor program
attempts to log into those services every so many
minutes.
When the login prompt is received by the monitor, the
monitor assumes the service is working and it terminates
the connection. The Log file then shows the message
you quoted above.
So what it means is that someone tried to log in, and
got the login prompt, but he then terminated the
connection (reset by peer) without attempting to supply
a username and password.
This could have been done by an automatic program to find
open ports, or it could have been done manually by
someone for whatever reason which I leave to your imagination.
Often it is legit, like someone trying to get POP3 mail
but forgetting to supply the port 110;, ie, telnet
mail.nook.net instead of telnet mail.nook.net 110. Get
the idea?
It also means that your telnet port; 23, is open in ways
that you probably do not intend. In your case it
means your tcp wrapper (inetd) program is allowing the
telnet port 23 to be open to possibly unintended persons.
If your port is closed outside your network, then the
attempt at login came from WITHIN your network. Check
your /etc/hosts.allow and /etc/hosts.deny files to see
if things are properly set up.
If you think you are properly set up and want it tested,
you can send me a private email with your host name and
IP and I can probe it for you from outside your network
and see what results I get. If indeed the port is
closed and does not result in the message "reset by
peer" then the cause if from within your network, or
even within your machine from some rampant program.
You are doing the right thing by reading your log files
and finding things like this.
--
Ramon Gandia ============= Sysadmin ============== Nook Net
http://www.nook.net [EMAIL PROTECTED]
285 West First Avenue tel. 907-443-7575
P.O. Box 970 fax. 907-443-2487
Nome, Alaska 99762-0970 ==== Alaska Toll Free. 888-443-7525
