Re: logwatch message that i don't understand

[Ed Wilts <ewilts ewilts org>]

On Thu, Jul 11, 2002 at 09:24:57AM -0700, daniel wrote:
> i got this in my logwatch email to root the other day:
> 
> g68B22hG013075: g68B24hG013077: DSN: User unknown

The cryptic number is the sendmail message ID.  You can grep your
maillog for all occurrences of this string if you're interested.  What I
believe is happening is that somebody is trying to send a message to an
unknown user at your site (or it's the bounce of a message back to you
when you sent to an unknown user - I can't remember which).

> most notably the 'unmatched entries' in things like sendmail, proftpd and
> sshd are bothering me.  that and the fact that i'm getting tonnes of
> attempted annonymous ftp connections when i don't support annonymous ftp and
> to my knowledge, i'm not advertising the fact that i'm running an ftp server
> anywhere.

There will be port scans and you'll get people trying to connect your
system regularly.  I solved this by disallowing anonymous ftp and
ignoring the message (they can't get anywhere anyway).  For ssh, I add a
hosts.deny and hosts.allow entry to restrict where the ssh connections
can come from since I know where I always connect to my home system
from.  I've got ftp blocked at my firewall currently.

-- 
Ed Wilts, Mounds View, MN, USA
mailto:ewilts ewilts org