Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: logging solaris 10 tcp-wrappers
Operating Systems Solaris logging solaris 10 tcp-wrappers Post 302123913 by csgonan on Wednesday 27th of June 2007 05:24:52 PM
Old 06-27-2007
logging solaris 10 tcp-wrappers
I want to log tcp-wrapper events Solaris 10. I researched and saw that I could make a syslog entry in the hosts.deny, which I did below. After restarting syslog and having ssh blocking, I see nothing logging. I also do not get the email that should be generated. The file was taken from a working server.

I did put an auth.warning entry in syslog to the tcpwrapper log file which generated an entry when ssh was rejected, but the email wasn't received.

Any suggestins on why these emails might not be working and how to get sendmail logged? I see in the maillog that it is being blocked. NOTE: The sendmail being blocked is not happening at the same time this email notice of the violation is supposed to go out.

This is one of the lines in maillog

Jun 27 17:16:37 kristina sendmail[992]: [ID 801593 mail.notice] l5RLGbC3000992: tcpwrappers (localhost, 127.0.0.1) rejection

This is my hosts deny (abreviated).

sshd: ALL: spawn (echo "ssh violation from %h on %s using ssh - possible cracker ! Check /var/log/syslog on %s immediately!" | /usr/bin/mailx -r alert -s "tcpd violation from %h on %s - possible cracker!" csgonan) &

ALL: ALL: severity LOCAL3.notice

--------
here is my syslog.conf

# 6/26/07 - CSR added this to test logging tcpwrappers
local3.* ifdef(`LOGHOST', /var/log/tcpwrapperLog, @loghost)

-rw-r--r-- 1 root sys 0 Jun 26 15:57 tcpwrapperLog
Last edited by csgonan; 06-27-2007 at 06:57 PM..
 

10 More Discussions You Might Find Interesting

1. IP Networking

configure TCP/IP for solaris 8

Hello, I have 4 unix (Solaris 8) stations need to setup on network. what is a easy way and quick to setup TCP/IP so I can bring it online?. Please advise! (3 Replies)
Discussion started by: phapvn
3 Replies

2. Cybersecurity

TCP Wrappers

I have installed TCP wrappers , Good package ... I have a problem with the hosts_options part ... I am not able to use the twist command .. It just dosent respond I have compiled wrappers 7.6 for Solaris 8 with ipv6 support ... Everything works fine except the twist doesnt work I have... (1 Reply)
Discussion started by: DPAI
1 Replies

3. Solaris

[help] very need help for solaris TCP

hi expert, hi all very need help please advice, i have v890 production server (gateway server) which running on telecommunication application (e.g USSD application) on this few month i have a problem with the connection to application server, for 2 - 3 hours the connection always down and cannot... (0 Replies)
Discussion started by: bucci
0 Replies

4. Solaris

TCP Wrappers - again

has anyone ever tried using a client list in thier hosts.allow file Example of hosts.allow) in.ftpd: /etc/ftp.hosts "ftp.hosts" has my list of IP address that are allow access.... However I cant get this work...Any Comments or Help? (0 Replies)
Discussion started by: dodge_man
0 Replies

5. AIX

TCP wrappers

With things installed and wrapping ftpd on AIX 5.1 in hosts.deny I have; ALL: ALL in hosts.allow; ftpd: x.x.x.x ALL: x.x.x.x I get this on connect via ftp; 421 Service not available, remote server has closed connection So its working as far as blocking but the hosts.allow seems to be... (1 Reply)
Discussion started by: traken
1 Replies

6. UNIX for Advanced & Expert Users

TCP Wrappers and restricting users

I'm using vsftpd which is being controlled by inetd. I have a user that I want to only be able to connect from one specific IP address on the same internal network so I can backup files on a separate system. Is this possible with TCP wrappers? I got the notion that it was because of a few... (4 Replies)
Discussion started by: mashiox
4 Replies

7. AIX

aix tcp wrappers hosts.allow hosts.deny?

hi all just installed the netsec.options.tcpwrapper from expansion pack, which used to be a rpm, for my aix 6.1 test box. it is so unpredictable. i set up the hosts.deny as suggested for all and allow the sshd for specific ip addresses/hostnames. the tcpdchk says the hosts allowed and... (0 Replies)
Discussion started by: wf201626
0 Replies

8. AIX

TCP Wrappers on AIX 5.3

Hi, I have in my organization varied OS types (AIX,RHEL,Solaris) My need was to block ftp connections from some addresses on my organization, but to not disable the protocol. In the linux servers i did that with the hosts.deny file that used by the vsftpd deamon. In my AIX servers, i have... (6 Replies)
Discussion started by: moshesa
6 Replies

9. HP-UX

Logging into UNIX via TCP/IP Telnet

I can connect to the UNIX box using a TCP/IP Telnet session but the UNIX does not respond with the login prompt. The box responds to a PING and the Telnet session actually connects, but no prompt of any sort is recieved back. I can connect via the console, get the login prompt and can login. ... (3 Replies)
Discussion started by: Newnix
3 Replies

10. Solaris

Too much TCP retransmitted and TCP duplicate on server Oracle Solaris 10

I have problem with oracle solaris 10 running on oracle sparc T4-2 server. Os information: 5.10 Generic_150400-03 sun4v sparc sun4v Output from tcpstat.d script TCP bytes: out outRetrans in inDup inUnorder 6833763 7300 98884 0... (2 Replies)
Discussion started by: insatiable1610
2 Replies

LEARN ABOUT OSF1

syslogd

syslogd(8)						      System Manager's Manual							syslogd(8)

NAME

       syslogd - Logs system messages

SYNOPSIS

       /usr/sbin/syslogd [-f config_file] [-m mark_interval] [-d] [-s] [-e]

       The syslogd daemon reads and logs messages to a set of files described in the /etc/syslog.conf configuration file.

FLAGS

       Specifies the size of the socket receive buffer.  Specifies a path to an alternate configuration file.  Specifies the mark_interval.  Turns
       on the debugging feature.  Specifies that events are to be posted to the Event Manager, EVM.  Disables the posting of events  to  the  con-
       sole.

DESCRIPTION

       Each  message  logged  consists of one line.  A message can contain a priority code, marked by a number in angle braces at the beginning of
       the line.  Priorities are defined in the /usr/include/sys/syslog_pri.h file.  The syslogd daemon reads from  the  domain  socket  /dev/log,
       from an Internet domain socket specified in /etc/services, and from the special device /dev/klog, which reads kernel messages.  The syslogd
       daemon configures when it starts up and when it receives a hangup (SIGHUP) signal. To reconfigure the daemon, use the ps command  to  iden-
       tify the daemon's process identifier (PID) and then use the following command: # kill -HUP <pid> (The PID of the daemon is also recorded in
       /var/run/syslog.pid).  This command causes the daemon to read the revised configuration file.

       The /etc/syslog.conf file contains entries that specify the facility (the part of the system that generated the error), the  error  message
       severity  level,  and  the  destination to which the syslogd daemon sends the messages.	Each line of the /etc/syslog.conf file contains an
       entry.

       The following is an example of an /etc/syslog.conf file: # # syslogd config file # # facilities: kern user  mail  daemon  auth  syslog  lpr
       binary  #  priorities:  emerg  alert  crit  err	warning  notice  info  debug  kern.debug	       /var/adm/syslog/kern.log user.debug
       /var/adm/syslog/user.log daemon.debug		/var/adm/syslog/daemon.log auth.debug		    /var/adm/syslog/auth.log  syslog.debug
       /var/adm/syslog/syslog.log   mail,lpr.debug	     /var/adm/syslog/misc.log  binary.err		/var/adm/binary.errlog	msgbuf.err
       /var/adm/crash/msgbuf.savecore kern.debug	      /var/adm/messages kern.debug		/dev/console *.emerg		     *

       The facility and its severity level must be separated by a period (.).  You can specify more than one facility on a line by separating them
       with commas.   You can specify more than one facility and severity level on a line by separating them with semicolons.

       The facility and its severity level must be separated from the destination by one or more tabs (spaces are not allowed).

       If  you	specify  an  asterisk (*) for a facility, messages generated by all parts of the system are logged.  All messages of the specified
       level and of a greater severity are logged.  Blank lines and lines beginning with # (number sign) are ignored.

       For example: *.emerg;mail,daemon.crit	      /var/adm/syslog/misc.log This line logs all facilities at the emerg level (and  higher)  and
       the mail and daemon facilities at the crit (or higher) level to the /var/adm/syslog/misc.log destination file.

       Known  facilities  and  levels recognized by the syslogd daemon are those listed in /usr/include/sys/syslog_pri.h without the leading LOG_.
       The additional facility mark has a message at priority LOG_INFO sent to it every 20 minutes (this may be changed with the  -m  flag).   The
       mark  facility is not enabled by a facility field containing an * (asterisk).  The level none may be used to disable a particular facility.
       For example: *.debug;mail.none		   /var/adm/syslog/misc.log The previous entry sends all messages  except  mail  messages  to  the
       /var/adm/syslog/misc.log file.

       There  are  four  possibilities for the message destination: A filename that begins with a leading / (slash).  The syslogd daemon will open
       the file in append mode.  A hostname preceded by an @ (at sign).  Selected messages are forwarded to the syslogd daemon on the named  host.
       A  comma separated list of users.  Selected messages are written to those users if they are logged in.  An * (asterisk).  Selected messages
       are written to all users who are logged in.

       For     example:     kern,mark.debug	/dev/console	  *.notice;mail.info  /var/adm/syslog/mail	*.crit	  /var/adm/syslog/critical
       kern.err  @ucbarpa  *.emerg   * *.alert	 eric,kridle *.alert;auth.warning     ralph The preceding configuration file logs messages as fol-
       lows: Logs all kernel messages and 20 minute marks onto the system console Logs all notice (or higher) level messages and all  mail  system
       messages  except  debug	messages into the file /var/adm/syslog/mail Logs all critical messages into the /var/adm/syslog/critical file For-
       wards kernel messages of error severity or higher to ucbarpa.  Informs all users of any emergency messages, informs users eric  and  kridle
       of any alert messages, and informs user ralph of any alert message or any warning message (or higher) from the authorization system.

       Destinations  for  logged messages can be specified with full pathnames that begin with a leading / (slash).  The syslogd daemon then opens
       the specified file(s) in append mode.  If the pathname to a syslogd daemon log file  that  is  specified  in  the  syslog.conf  file  as  a
       /var/adm/syslog.dated/file,  the  syslogd daemon inserts a date directory, and thus produces a day-by-day account of the messages received,
       directly above file in the directory structure.	Typically, you will want to divert messages separately, according to facility, into  files
       such  as  kern.log,  mail.log, lpr.log, and debug.log.  The file /var/adm/syslog.dated/current is a link to the most recent log file direc-
       tory.

       If some pathname other than /var/adm/syslog.dated/file is specified as the pathname to the logfile, the syslogd daemon does not create  the
       daily  date  directory.	 For example, if you specify /var/adm/syslog/mail.log (without the .dated suffix after syslog), the syslogd daemon
       simply logs messages to the mail.log file and allows this file to grow indefinitely.

       The syslogd daemon can recover the messages in the kernel syslog buffer that were not logged to the files specified in the /etc/syslog.conf
       file  because  a  system crash occurred.  The savecore command copies the buffer recovered from the dump to the file specified in the "msg-
       buf.err" entry in the /etc/syslog.conf file.  When the syslogd daemon starts up, it looks for this file and, if it  exists,  processes  and
       then deletes the file.

   Configuration
       The syslogd daemon acts as a central routing facility for messages whose formats are determined by the programs that produce them.

       The syslogd daemon creates the /var/run/syslog.pid file if possible. The file contains a single line with its process ID.  This can be used
       to kill or reconfigure the syslogd daemon. For example, if you modify the syslog.conf file and you want to implement the changes,  use  the
       following command: # kill -HUP 'cat /var/run/syslog.pid'

       If  a  syslog.conf  configuration  file	does  not  exist,  the	syslogd  daemon  uses  the following defaults: *.ERR	      /dev/console
       *.PANIC	      * The defaults log all error messages to the console and all panic messages (from the kernel) to all  logged-in  users.	No
       files are written.

       To turn off printing of syslog messages to the console, please refer to the syslog(1) reference page.

   Remote message Forwarding
       The syslog has a remote message forwarding function. As a security feature, this capability is turned off by default. If you intend to con-
       figure other hosts to forward syslog messages to a local host, use the su command to  become  superuser	(root)	and  manually  create  the
       /etc/syslog.auth file using a text editor on the local host.

       The  /etc/syslog.auth  file  specifies  which remote hosts are allowed to forward syslog messages to the local host. Unless the domain host
       name of a remote host is given in the local /etc/syslog.auth file, the local host will not log any messages from that  remote  host.   Note
       that  if  no  /etc/syslog.auth file exists on the local host, then any remote hosts that can establish a network connection will be able to
       log messages.  See the syslog.auth(4) reference page for information.

   Event Management
       Note that syslog is also a channel that is read by the Event Management utility (EVM).  Messages are also converted to EVM events and noti-
       fied to the EVM daemon.	Refer to the EVM(8) reference page and System Administration for more information on event management.

FILES

       Specifies  the command path Configuration file.	Process ID.  Specifies what remote hosts can forward messages to the local host.  Contains
       configuration information that specifies what syslogd messages will be forwarded to the Event Manager, EVM.  Enables and disables  printing
       to  the	console  device.   The	name  of the domain datagram log socket.  Kernel log device.  The directory where daily log subdirectories
       reside.	A link to the directory containing the most recent daily log files.

RELATED INFORMATION

       Commands: syslog(1), savecore(8), logger(1).

       Functions: syslog(3).

       Files: syslog.auth(4), syslog.conf(4), syslog_evm.conf(4).

       System Administration, Network Administration, and EVM(5) delim off

																	syslogd(8)
All times are GMT -4. The time now is 08:35 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy