Thanks for the explanation.
1. It's definitely coming from the outside (ip address in my "secure" log)
2. Who ever is attempting is not by mistake because they keep coming back.
3. Telnet port is open because I need to login into the machine while away
from home.
4. A connect and disconnect attempt gives a different message(whether you
enter user/passwd or not)
"login: FAILED LOGIN SESSION FROM"
Again I don't think they made it in but seeing them coming back everyday
bothers me.
----- Original Message -----
From: Ramon Gandia <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 23, 1999 1:59 PM
Subject: Re: [expert] Security
> On Tue, 23 Nov 1999, Devin Vo wrote:
> > I think I have someone attempting to break into my Linux box. I see
these
> > messages in /var/log/messages
> >
> > "Nov 22 19:03:54 telnetd[2786]: ttloop: read: Connection reset by
peer"
> >
> > I don't think he got in but I like to know what this message means.
> >
> > Thanks
>
> I also have here a Linux box made by Cobalt Microsystems.
> It has a monitoring software that tests every so many
> minutes for the working of the various components, such
> as the ftp server, the telnet server, the POP3 server,
> IMAP and so on. In other words, the monitor program
> attempts to log into those services every so many
> minutes.
>
> When the login prompt is received by the monitor, the
> monitor assumes the service is working and it terminates
> the connection. The Log file then shows the message
> you quoted above.
>
> So what it means is that someone tried to log in, and
> got the login prompt, but he then terminated the
> connection (reset by peer) without attempting to supply
> a username and password.
>
> This could have been done by an automatic program to find
> open ports, or it could have been done manually by
> someone for whatever reason which I leave to your imagination.
> Often it is legit, like someone trying to get POP3 mail
> but forgetting to supply the port 110;, ie, telnet
> mail.nook.net instead of telnet mail.nook.net 110. Get
> the idea?
>
> It also means that your telnet port; 23, is open in ways
> that you probably do not intend. In your case it
> means your tcp wrapper (inetd) program is allowing the
> telnet port 23 to be open to possibly unintended persons.
> If your port is closed outside your network, then the
> attempt at login came from WITHIN your network. Check
> your /etc/hosts.allow and /etc/hosts.deny files to see
> if things are properly set up.
>
> If you think you are properly set up and want it tested,
> you can send me a private email with your host name and
> IP and I can probe it for you from outside your network
> and see what results I get. If indeed the port is
> closed and does not result in the message "reset by
> peer" then the cause if from within your network, or
> even within your machine from some rampant program.
>
> You are doing the right thing by reading your log files
> and finding things like this.
>
>
> --
> Ramon Gandia ============= Sysadmin ============== Nook Net
> http://www.nook.net [EMAIL PROTECTED]
> 285 West First Avenue tel. 907-443-7575
> P.O. Box 970 fax. 907-443-2487
> Nome, Alaska 99762-0970 ==== Alaska Toll Free. 888-443-7525
