Re: identd log entries
From: Tim Haynes (usenet-20040331_at_stirfried.vegetable.org.uk)
Date: Wed, 31 Mar 2004 17:56:29 +0100
"/dev/rob0" <firstname.lastname@example.org> writes:
> On Wed, 31 Mar 2004 10:40:34 +0200, jack wrote:
>> I just don't know why You're posting it here then, neither do I know
>> why people - including myself - even bother to write a reply...
>> Seriously: This is a usenet news group, and this is a discussion
>> rather than a competition.
>> I'll take it just as a "noise"...
> I'm sorry you feel that way. I disagree: I hoped it could serve as a
> good exercise. So here's what I did ...
Absolutely. My cheeky responses are all in the name of humour, because I
entirely agree that if there's one thing we security-heads should tone-up
on, it's analytical ability.
> Seeing that it was SMTP the first place I looked was in the maillog file,
> which in my syslog gets all mail.* messages. I could find no correlation
> *.debug messages go to /var/log/debug, and a tail -f quickly found the
> perpetrator, scrolling faster than I could read, but the same source IP
> on every outgoing packet ... a Windows box.
> No, I was not cracked, and now my children are no longer allowed to use
> Windows to access the Internet. This is also a testimony to the virtues
> of running an identd open to the outside: it's safe, it doesn't give away
> vital information, and it the things it logs can be VERY useful!
So basically your other internal windoze boxes were making direct outgoing
connections to SMTP ports, but because of the NAT, the reverse-identd
requests were coming back to the linux box?
That would also explain why it had no idea what the user in question was.
Interesting, if I'd been in a NAT frame of mind, I'd've thought of that
option as well.
-- Too fast to live, |email@example.com too young to die |http://spodzone.org.uk/cesspit/ bye bye. |