On Tue, Jun 06, 2000 at 02:07:37PM +0530, Suresh Ramasubramanian typed:
> Krishna Rao SN saw fit to inform LI that:
>
> >I am new to Linux. Kindly tell me which report/log files to check & where it is
>located?
> >It is urgent. May be someone is using my system to portscans of port 111.
>
> /var/log/messages should do for a start - and /var/log/maillog to see if
> you have any mails going out of your system.
>
> Check the other files in /var/log as well.
>
Sorry to disappoint you - Krishna Rao, but unless you have fire-walling
rules in place, none of your logs will show any outgoing IP traffic.
Things to do are :
1) If your server (mail.myserver.com you mentioned) is a gateway and
is performing network address translation for your LAN, (or even
otherwise) ensure that you block off all unnecessary outgoing traffic
using IPChains. Put in a specific rule to reject *and log* all traffic
going out to the rpc ports in the internet domain - If someone is
indeed portscanning the outside world through your machine and
continuing to do so, you can make out by looking at the IPChains log.
2) Ask the sysadmin who complained for a copy of his logs. Crosscheck with
the timings and see who all were logged in on your server at that specific
time. (/var/log/secure should be able to tell you that). If you have root
access, scan through their ".bash_history" files for any evidence of
misuse. (If the activity originated from users logged in via telnet).
3) There is also the possibility (though not too probable) that the attack
didn't really originate from your machine, but somone was just spoofing
your IP address. In this case there's nothing you can do about it.
4) In any case, send a mail to the sysadmin who complained and inform him
that you're investigating the matter. It is reassuring for a sysadmin
to know that he's dealing with someone who's on the same side as him :-)
Read the "Security HOWTO" and the "IPChains HOWTO" which are probably
available in your linux box documentation directory. Also checkout
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri - it's a
pretty good Linux server installation / maintenance / security guide.
Kala
-----------------------------------------------------------------------
Check out the 'What to do before posting to the list' site
for a list of things to try before posting. The site is
at http://botsie.tripod.com/beforeposting/
