Re: foreign ip in /var/log/wtmp



On 8 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
<1178644856.638713.154140@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, Bernd wrote:

I found it out by myself:
In /etc/modprobe.conf i changed two entries:
- alias sit0 ipv6 to alias sit0 off
and
- alias net-pf-10 ipv6 to alias net-pf-10 off

My understanding is that should be

alias net-pf-10 off

Then a reboot, and the ipv6 modul did not appear with lsmod.
ifconfig -a showed no ipv6adress.
Some other moduls with ip6 in their names still appeared, but i could
easily remove them with rmmod.
Then, finally, lsmod showed nothing with ip6 or ipv6.

OK - I was going to suggest that, but you've gotten ahead of me ;-)

But the foreign ips in /var/log/wtmp still appeared after new logins.
It's a shame.

Damn.

Any other idea ?

I'm not sure that a strace may or may not help - I'll admit that I'm
running out of ideas. The smells quite strongly of a problem with
what-ever is writing to wtmp, but what? That's normally a login
process. As I recall, you reported differences in the wtmp entries
between logging in via ssh verses logging in over the console. But
you also mention this is in a GUI login - what happens if you change
run-levels to "3", which should give a text login - you start X with
the 'runx' or 'startx' command after logging in if needed - but what
does 'last' show from that text login?

Old guy
.



Relevant Pages

  • RE: Login restrictions in NIS environment
    ... Login restrictions in NIS environment ... need to ban root from logging in remotely except from certain IP ... but it does not allow root to login even ...
    (RedHat)
  • Re: Workstations login takes ages to proceed after installing ISA 2004
    ... Regarding the login problem - after logging in, in ISA management, run a ... query in the logging page about the last 5 minutes and see what connections ... were denied, if any, or what happened during the time that the login was ... Ori YosefiISA Server Team ...
    (microsoft.public.isa)
  • RE: Login restrictions in NIS environment
    ... to ban root from logging in remotely except from certain IP addresses. ... but it does not allow root to login even from ... > stack is called by both login and ssh access. ...
    (RedHat)
  • Re: Syslog to monitor traffic
    ... That's far too much to watch in real time, ... set the logging level to include such items: ... because you could get an overwhelming amount of entries. ...
    (comp.dcom.sys.cisco)
  • New TSFarm, logon delays
    ... I switch on the server and and it powers up ... I have enabled userenv logging to see if this helps, ... This is the log file from a standard login which performs as expected: ...
    (microsoft.public.windows.terminal_services)