Re: identd log entries

From: /dev/rob0 (rob0_at_gmx.co.uk)
Date: 03/31/04 

Date: Wed, 31 Mar 2004 08:36:39 -0600

On Wed, 31 Mar 2004 10:40:34 +0200, jack wrote:
> I just don't know why You're posting it here then, neither do I know
> why people - including myself - even bother to write a reply...
>
> Seriously: This is a usenet news group, and this is a discussion
> rather than a competition.
>
> I'll take it just as a "noise"...

I'm sorry you feel that way. I disagree: I hoped it could serve as a
good exercise. So here's what I did ...

Seeing that it was SMTP the first place I looked was in the maillog
file, which in my syslog gets all mail.* messages. I could find no
correlation between that and the identd logs. In fact my MTA was
passing everything along to the relayhost as it should; no external
connections at all.

My auth daemon is a "dumb" one, and I've seen that error before when
machines behind the firewall are doing something to trigger an auth
query. To test whether or not they were coming from another machine I
put in an iptables rule:
    iptables -I FORWARD -i $INTIF -o $EXTIF -p tcp --dport 25 -j LOG --log-level debug
*.debug messages go to /var/log/debug, and a tail -f quickly found the
perpetrator, scrolling faster than I could read, but the same source IP
on every outgoing packet ... a Windows box.

No, I was not cracked, and now my children are no longer allowed to use
Windows to access the Internet. This is also a testimony to the virtues
of running an identd open to the outside: it's safe, it doesn't give
away vital information, and it the things it logs can be VERY useful!

And I hope this followup puts this thread back on the "signal" side of
the signal-to-noise ratio. :) 

-- 
  /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
  or put "not-spam" or "/dev/rob0" in Subject header to reply

Relevant Pages

  • Re: Cryptogram Comment
    ... >> bother me with Windows questions. ... >> machines are broken. ... Just like if you don't know to tune up your car every year then you ... > and Linux and other open OS's make all patches FREE to redistribute. ...
    (sci.crypt)
  • [Full-Disclosure] RE: M$ - so what should they do?
    ... >isn't a basic windows design piece. ... or getting their machines loaded with adware and spyware ... heart of the problem of machines connected to the Internet, ...
    (Full-Disclosure)
  • Re: Need tutorials, guides... However...
    ... performance loss you'll get from an OS like Windows or Linux. ... machines out there have gone off in many different directions. ... expect to find certain hardware at certain addressess. ...
    (alt.lang.asm)
  • Re: Saw 10.4.1 Running On a PC Laptop Today
    ... People would no longer differentiate between Macs and PCs and most would just stick with the Windows OS that came with their box. ... Apple would no longer be innovative as it now and eventually be marginalized out of business. ... The fact is, Windows users use Windows NOT because "it works, and that's all that counts", but because it is the ONLY real game in town for Intel machines, and because Apples are JUST TOO EXPENSIVE for the common man and corporations to embrace that paradigm. ... most Windows users would rather switch to OSX than continue to put up with Microsoft's machinations in the computer world. ...
    (comp.sys.mac.advocacy)
  • RE: Access Denied for Event Viewer or Regedit
    ... message when you try to remotely manage a computer that is running Windows XP ... Does the issue (lack of registry key) only occur on the machines with ... > If the problem only occurs on the machines with OEM Windows XP Pro, ...
    (microsoft.public.windowsxp.help_and_support)