Logwatch?

Wolfgang S. Rupprecht wolfgang.rupprecht+gnus200705 at gmail.com
Sun May 27 20:08:35 UTC 2007


"Knute Johnson" <knute at frazmtn.com> writes:
>  Connection attempts using mod_proxy:
>     220.132.60.97 -> msa.hinet.net:25: 1 Time(s)
> Above is a piece of my logwatch email today.  What is msa.hinet.net 
> actually trying to do here?  

Probably msa.hinet.net isn't doing anything but being the target of
some proxy spamming attempt.  I've found that the simplest way to
unravel such logs is to just keep a week's worth of "tcpdump -w" logs
and then use wireshark (formerly ethereal) to read the appropriate
logs.  The "follow tcp stream" option when highlighting a tcp packet
is a great way to see what both sides were doing.

I normally just run tcpdump in an infinite shell loop with a counter
incrementing.  Then if the syslogs show something I don't understand
I'll look at the packets around that time by wireshark-ing the
appropriate tcpdump file.

  tcpdump -i eth0 -s 1500 -c 5000 -w eth0-$cnt.tcpdump

Disk space is relatively cheap.  It normally only takes a few gigs,
which at today's prices is well under a buck.

-wolfgang
-- 
Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/
Hints for IPv6 on FC6 http://www.wsrcc.com/wolfgang/fedora/ipv6-tunnel.html




More information about the users mailing list