Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Jori on December 22, 2001, 01:51:00 PM

Title: /var/log/secure disturbing messages
Post by: Jori on December 22, 2001, 01:51:00 PM

Dec 16 10:00:46 router xinetd[725]: START: auth pid=5315 from=213.131.131.155
Dec 16 10:41:50 router xinetd[725]: START: auth pid=5326 from=64.77.41.227
Dec 16 10:42:48 router xinetd[725]: START: auth pid=5327 from=64.77.41.227
Dec 16 10:48:13 router xinetd[725]: START: auth pid=5328 from=213.131.131.155
Dec 16 16:26:11 router xinetd[725]: START: auth pid=5409 from=62.250.14.14
Dec 16 16:26:36 router xinetd[725]: START: auth pid=5410 from=213.131.131.155
Dec 16 16:26:46 router xinetd[725]: START: auth pid=5411 from=213.131.131.155
Dec 16 16:26:48 router xinetd[725]: START: auth pid=5412 from=213.131.131.155
Dec 16 16:27:02 router xinetd[725]: START: auth pid=5413 from=195.162.203.183

and this goes on for a while....

Does anyone know what this is? when i do a portscan on myself, port 113 is open. I read somewhere that 113 is auth?

I have no idea what auth is, but I do want this to go away if possible :]

Title: Re: /var/log/secure disturbing messages
Post by: Vic on December 22, 2001, 03:18:14 PM

See the following:

http://www.dshield.org/ports/port113.html

Title: Re: /var/log/secure disturbing messages
Post by: Jori on December 22, 2001, 03:35:41 PM

hmmmm, so I can just shut down the auth service? And everything will continue to function normally?
(dont use sendmail)

How do I do that? :)

/etc/xinetd.conf

service auth
{
    socket_type                 = stream
    wait                        = no
    user                        = nobody
    server                      = /usr/sbin/in.identd
    server_args                 = -l -e -o -q
}


should I change something in there (in templates)? Or can I just not allow any connections to 113 through the firewall? (if so, how?)

Title: Re: /var/log/secure disturbing messages
Post by: Jon Thiele on December 22, 2001, 10:01:16 PM

Jori wrote:
>

> Does anyone know what this is? when i do a portscan on
> myself, port 113 is open. I read somewhere that 113 is auth?
>
> I have no idea what auth is, but I do want this to go away if
> possible :]

you should look at this message from 10 months ago that explains the open ports and why they are needed:

http://e-smith.org/bboard/read.php?f=3&i=2649&t=2647

Title: Re: /var/log/secure disturbing messages
Post by: Kelvin on December 22, 2001, 11:29:43 PM

Jori,

You can edit the ipchain rules to deny any port 113 connections on your external interface. I do this with all the servers I set up (along with a few other unneeded ports as well :) ). Just search this forum for the word masq and you should be able to find what you need.

Kelvin

Title: Re: /var/log/secure disturbing messages
Post by: Charlie Brady on December 29, 2001, 04:51:17 AM

Kelvin wrote:

> You can edit the ipchain rules to deny any port 113
> connections on your external interface. I do this with all
> the servers I set up (along with a few other unneeded ports
> as well :) ). Just search this forum for the word masq and
> you should be able to find what you need.

No need to edit anything. Just do:

/sbin/e-smith/db configuration setprop auth status disabled
/sbin/e-smith/signal-event remoteaccess-update

Regards

Charlie