[lug] Identd error...
Justin
glow at jackmoves.com
Tue Aug 28 08:30:27 MDT 2001
Well, I figured out what is causing this and I think I know why. A user
on the machine has a couple of irc bots that are trying to connect to
eachother from two different ip's on my machine (an eth0 an eth0:1).
For whatever reason the bots are trying to authenticate every minute,
I'm not sure why my syslog just shows the errors every few minutes or
whatever. But anyways, I think it has something to do w/ the iptables
firewall not routing stuff between my local ip's (I'm using shorewall
so I think I know how to fix this). Anyways, I won't be able to test
until later tonight or tomorrow, so I'll reply back on how things went
later on...
Justin
> It does sound like the source of the request is on your local machine.
> Add a firewall rule to log all input chain activity on all interfaces
> for tcp port 113. You might also check if you identd is actually
running
> right. Assuming RH, run:
> /etc/rc.d/init.d/identd status
>
> Also try to telnet to port 113 on localhost, type in some nonsense,
see
> if it accepts and drops you after typing in nonsense (it should).
>
> D. Stimits, stimits at idcomm.com
>
> Justin wrote:
> >
> > Hrmm, well I'll see if anything shows up in a logger. The weird
thing
> > is these errors are showing up in intervals of 1-5 minutes always on
> > the 00 second:
> >
> > Aug 27 15:18:00 deviant identd[28359]: request_thread: read(10, ...,
> > 1023) failed: Connection reset by peer
> > Aug 27 15:19:00 deviant identd[28361]: request_thread: read(10, ...,
> > 1023) failed: Connection reset by peer
> > Aug 27 15:22:00 deviant identd[28377]: request_thread: read(10, ...,
> > 1023) failed: Connection reset by peer
> > Aug 27 15:24:31 deviant PAM_pwdb[26395]: (sshd) session closed for
user
> > monicle
> > Aug 27 15:25:00 deviant identd[28384]: request_thread: read(10, ...,
> > 1023) failed: Connection reset by peer
> > Aug 27 15:27:00 deviant identd[28393]: request_thread: read(10, ...,
> > 1023) failed: Connection reset by peer
> >
> > I don't think this would be somesort of malicious activity.
> >
> > Justin
> >
> > > Justin wrote:
> > > >
> > > > I have been getting tons of these errors in my log but I have no
> > idea
> > > > what they are from. Anyone have any idea?
> > > >
> > > > Aug 26 04:09:00 deviant identd[18103]: request_thread: read
(9, ...,
> > > > 1023) failed: Connection reset by peer
> > > >
> > >
> > > I haven't heard of any exploits against identd. I suppose it is
> > possible
> > > that someone is using a spoof of your ID for DoS against someone,
and
> > > that other party being hit is trying to auth the source. You might
> > want
> > > to turn on ipchains logging of port 113 to see if the hits are all
> > from
> > > one machine (or just a few).
> > >
> > > D. Stimits, stimits at idcomm.com
> > >
> > > > TIA.
> > > >
> > > > Justin
> > > >
> > > > -----
> > > > glow at jackmoves.com
> > > > www.jackmoves.com
> > > > _______________________________________________
> > > > Web Page: http://lug.boulder.co.us
> > > > Mailing List:
http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > _______________________________________________
> > > Web Page: http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >
> > >
> >
> > -----
> > glow at jackmoves.com
> > www.jackmoves.com
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
>
-----
glow at jackmoves.com
www.jackmoves.com
More information about the LUG
mailing list