HPE Community
Operating System - HP-UX
1822080 Members
3414 Online
109640 Solutions
New Discussion юеВ

telnet/tcp connection reporting

 
SOLVED
Go to solution
Peter Gillis
Super Advisor

тАО10-09-2006 12:45 PM

тАО10-09-2006 12:45 PM

telnet/tcp connection reporting

Hi, ux 11.11 v1, RP2470.

I have many mesgs in syslog as follows....
Oct 10 05:55:51 saturn inetd[16520]: telnet/tcp: Connection from unknown (aaa.b.
ccc.dd) at Tue Oct 10 05:55:51 2006 I am wondering what they really mean. I have added into /etc/profile some script so that I can see in the log the logname and ip of where the users are logging in from, and some of the telnet/tcp connection messages do match up to these user login messages taht I get. But, there are many of these telnet/tcp messages that go on forever. Some I have noticed occur on the hour every hour...these are actual rf devices that I believe are not powered off, and so even if a user is not logged on, there is still some sort of communication going on - basically polling the system waiting for a user to log them on. Is this what these telnet/tcp messages really mean?

Hope someone understands my words here and can help me. thanks, Maria
0 Kudos
7 REPLIES 7
Steven E. Protter
Exalted Contributor

тАО10-09-2006 01:18 PM

тАО10-09-2006 01:18 PM

Re: telnet/tcp connection reporting

Shalom

inetd -l

this enables connection logging and should at least provide an ip address.

/etc/inetd.conf can be configured to log telnet all the time with the -l parameter inside.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Rajeev Shukla
Honored Contributor

тАО10-09-2006 01:49 PM

тАО10-09-2006 01:49 PM

Re: telnet/tcp connection reporting

Yes running inetd -l will give you more idea about the ports that that particular connection is trying to access and then you can see the service that device is requesting by looking at your /etc/services file.
Now as far as i know the RF scanners, even if they are left on do not poll until and unless some activity or request is made from the device side. Usually the way the RF scanners are configured is that that they talk to a particular port defined in /etc/services which then triggers a program defined in /etc/inetd.conf file and its a TCP/IP socket extablished until the RF scanners terminates it and from there the application talks to the RF scanner on that TCP/IP socket until the connection is droped or terminated from either side.
0 Kudos
Peter Gillis
Super Advisor

тАО10-09-2006 02:40 PM

тАО10-09-2006 02:40 PM

Re: telnet/tcp connection reporting

Thanks for info. I do actually have logging enabled. That is why I can see the full telnet/tcp message:

Oct 10 05:55:51 saturn inetd[16520]: telnet/tcp: Connection from unknown (aaa.b.
ccc.dd) at Tue Oct 10 05:55:51 2006

What I am asking is - What is this message really telling me?? how do trouble shoot it? Is it really saying that ip address aaa.b.ccc.dd is trying to make a connection to the unix server via telnet/tcp service. What determines how often these messages appear in the log?

regards
Maria
0 Kudos
Yang Qin_1
Honored Contributor

тАО10-09-2006 07:12 PM

тАО10-09-2006 07:12 PM

Re: telnet/tcp connection reporting

If you want to have an idea how any times from aaa.b.ccc.dd tried to telnet to your server you can

grep "Connection from unknown (aaa.b.ccc.dd)" /var/adm/syslog/syslog.log
it will list all records concerning aaa.b.ccc.dd

grep "Connection from unknown (aaa.b.ccc.dd)" /var/adm/syslog/syslog.log|wc -l

will show you hoe many records in syslog.log

Yang
0 Kudos
Ivan Krastev
Honored Contributor

тАО10-09-2006 07:17 PM

тАО10-09-2006 07:17 PM

Re: telnet/tcp connection reporting

Hi Maria,

often this messages are from port scanners who will try to exploit some weak services - for example telnet. If you don't use this better disable telnet (from /etc/inetd.conf) or switch to more secure - ssh.

cheers,
ivan
0 Kudos
Rajeev Shukla
Honored Contributor

тАО10-09-2006 10:22 PM

тАО10-09-2006 10:22 PM

Solution

Re: telnet/tcp connection reporting

- What is this message really telling me??
It is telling you that a RF scanner with that IP address is trying to make a connection on that port on this server

- how do trouble shoot it?
You can run netstat -an to see all the RF scanner (even the one with aaa.b.ccc.dd) connected with TCP connection on the defined port.
- What determines how often these messages appear in the log?
These messages will appear everytime the scanner connects and disconnects from the system.
0 Kudos
Peter Gillis
Super Advisor

тАО10-15-2006 10:45 AM

тАО10-15-2006 10:45 AM

Re: telnet/tcp connection reporting

Thankyou for responses. You have confirmed for me that messages being logged were simply indicating that connection was being attempted for devices at particular ip addrs.
thanks. Maria
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.