Re: refused connect from 'unknown'
>> "PC" == Pere Camps <[EMAIL PROTECTED]> writes: PC> I've checked, and there's no option. I've installed icmplogd and PC> tcplogd which log all connection attemps to my machine. The log You should also install courtney. It did recognise a portscan of my server some time ago. Ciao, Martin
Re: refused connect from 'unknown'
Daniel, > No - not if the person connecting disconnects almost instantly; what > can happen is that if the person in question opens and then closes a > connection almost instantly, the connection goes to inetd, which > accepts it, but before tcpd (which is what inetd hands telnet > connections off to, and which is the program generating these log > messages) gets the connection and finds out who's on the other end, > the connection is closed, and tcpd is left without a clue, hence the > confusing error messages. I see. Very weird stuff anyway. I though that inetd was the one who logged the stuff. > This is usually done as part of a port scan - testing to see which > ports are accessible on your machine. There ought to be an option to > inetd to log all tcp connections before passing them off to something > else to handle, but I can see how that could get to be a hassle on a > busy machine. I've checked, and there's no option. I've installed icmplogd and tcplogd which log all connection attemps to my machine. The log file is growing quite big, but that's what you get. So far no strange port probing, but a lot of icmp messages that I do not quite understand. When I have time, I'll look at them. Thanks a lot for your help! -- p.
Re: refused connect from 'unknown'
Pere Camps <[EMAIL PROTECTED]> writes: > Hi! > > Can somebody explain me what this is? > > Dec 7 13:52:11 casal in.telnetd[27798]: warning: can't get client address: > No route to host > Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from unknown > > If my machine has a telnet request, then my machine knows the IP > (at least) of the machine which requests it, no? No - not if the person connecting disconnects almost instantly; what can happen is that if the person in question opens and then closes a connection almost instantly, the connection goes to inetd, which accepts it, but before tcpd (which is what inetd hands telnet connections off to, and which is the program generating these log messages) gets the connection and finds out who's on the other end, the connection is closed, and tcpd is left without a clue, hence the confusing error messages. This is usually done as part of a port scan - testing to see which ports are accessible on your machine. There ought to be an option to inetd to log all tcp connections before passing them off to something else to handle, but I can see how that could get to be a hassle on a busy machine. On the other hand, services which are not run from inetd - for example, apache on most machines - will know where this connection was coming from, and many port scans hit port 80 as well as port 23. I seem to remember some program that monitored every individual incoming network packet and logged warning messages about suspicious packets - I suppose someone will know how to do this with ipchains or ip firewalling stuff.
Re: refused connect from 'unknown'
Martin, > PC> Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from > PC> unknown > Is this you connecting? No, its not me. > Maybe it is an attacker transmitting a bogus tcp package or such. Maybe. But lately I've become to think that's the ALL: PARANOID setting in hosts.deny. :-? -- p.
Re: refused connect from 'unknown'
>> "PC" == Pere Camps <[EMAIL PROTECTED]> writes: PC> Dec 7 13:52:11 casal in.telnetd[27798]: warning: can't get client PC> address: No route to host PC> Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from PC> unknown PC> If my machine has a telnet request, then my machine knows the IP PC> (at least) of the machine which requests it, no? Is this you connecting? Maybe it is an attacker transmitting a bogus tcp package or such. Ciao, Martin
refused connect from 'unknown'
Hi! Can somebody explain me what this is? Dec 7 13:52:11 casal in.telnetd[27798]: warning: can't get client address: No route to host Dec 7 13:52:12 casal in.telnetd[27798]: refused connect from unknown If my machine has a telnet request, then my machine knows the IP (at least) of the machine which requests it, no? I'm clueless. Salutacions, Pere __oUltima Ratio Regum 2:343/108.91 - _`\<;_mailto:[EMAIL PROTECTED] PGP key available --- (_)/ (_) http://casal.upc.es/~pere/