Syslog-ng and tcpd
Hi -- I'm noticing lot's of these in the /var/log/messages file:
Mar 24 15:16:07 domU-12-31-39-00-09-F2 syslog-ng[25138]: warning: /etc/hosts.allow, line 17: host name/name mismatch: ec2-67-202-53-122.compute-1.amazonaws.com != domU-12-31-35-00-04-A1.z-2.compute-1.internal Mar 24 15:16:07 domU-12-31-39-00-09-F2 syslog-ng[25138]: Syslog connection rejected by tcpd; from='AF_INET(67.202.53.122:48703)' Mar 24 15:16:17 domU-12-31-39-00-09-F2 syslog-ng[25138]: Syslog connection accepted; fd='22', client='AF_INET(67.202.53.122:48187)', local='AF_INET(0.0.0.0:5000)' Apparently, access is being denied, as it should be. It's just a little disconcerting to see the "connection accepted" message after it has been rejected. telnet this.domain.com 5000 Trying 171.122.232.186... Connected to this.domain.com. Escape character is '^]'. Connection closed by foreign host. Is this the expected behavior? Is there some way to prevent all these messages from showing up in the log file?
Liam -- Liam Kirsher PGP: http://liam.numenet.com/pgp/
Quoting Liam Kirsher from 3/24/09 3:35 PM
Apparently, access is being denied, as it should be. It's just a little disconcerting to see the "connection accepted" message after it has been rejected.
telnet this.domain.com 5000 Trying 171.122.232.186... Connected to this.domain.com. Escape character is '^]'. Connection closed by foreign host.
This would be the same behavior, as say a machine running sshd with tcp_wrappers. If it really bothers you, perhaps check out the twist option in hosts_access(5). At least with this, the "badguy" doesn't get any access to your program, they get whatever shell command you chose (i.e. /bin/echo "Bugger Off"), then disconnected. OTOH, twist improperly implemented might get you in to more trouble :-) -Matt Cuttler
On Tue, 2009-03-24 at 12:35 -0700, Liam Kirsher wrote:
Hi --
I'm noticing lot's of these in the /var/log/messages file:
Mar 24 15:16:07 domU-12-31-39-00-09-F2 syslog-ng[25138]: warning: /etc/hosts.allow, line 17: host name/name mismatch: ec2-67-202-53-122.compute-1.amazonaws.com != domU-12-31-35-00-04-A1.z-2.compute-1.internal Mar 24 15:16:07 domU-12-31-39-00-09-F2 syslog-ng[25138]: Syslog connection rejected by tcpd; from='AF_INET(67.202.53.122:48703)' Mar 24 15:16:17 domU-12-31-39-00-09-F2 syslog-ng[25138]: Syslog connection accepted; fd='22', client='AF_INET(67.202.53.122:48187)', local='AF_INET(0.0.0.0:5000)' Apparently, access is being denied, as it should be. It's just a little disconcerting to see the "connection accepted" message after it has been rejected. telnet this.domain.com 5000 Trying 171.122.232.186... Connected to this.domain.com. Escape character is '^]'. Connection closed by foreign host. Is this the expected behavior? Is there some way to prevent all these messages from showing up in the log file?
Thanks for reporting this. This patch fixes this behaviour (committed to current HEAD) Tomorrow's nightly snapshot should contain it, or you can clone the repository. commit 6fbea222dd8b8531db12c14d23120cfcc3150f5d Author: Balazs Scheidler <bazsi@balabit.hu> Date: Wed Mar 25 11:27:28 2009 +0100 [afsocket] clarified logging about rejected connections Liam reported that the error messages generated when tcp wrapper rejected the connections can easily be misunderstood. This behaviour was fixed. Also, when connections are rejected, the closure of the file descriptor was refactored to a single spot instead of closing it in all failure branches. Reported-By: Liam Kirsher -- Bazsi
participants (3)
-
Balazs Scheidler
-
Liam Kirsher
-
Matt Cuttler