From owner-freebsd-security Wed Oct 21 06:12:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA13827 for freebsd-security-outgoing; Wed, 21 Oct 1998 06:12:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA13676 for ; Wed, 21 Oct 1998 06:12:51 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id IAA20829; Wed, 21 Oct 1998 08:12:26 -0500 (CDT) Received: from harkol-51.isdn.mke.execpc.com(169.207.64.179) by peak.mountin.net via smap (V1.3) id sma020824; Wed Oct 21 08:11:57 1998 Message-Id: <3.0.3.32.19981021080757.010c7324@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 21 Oct 1998 08:07:57 -0500 To: "N. N.M" From: "Jeffrey J. Mountin" Subject: Re: Again logging! Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19981021080010.12544.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:00 AM 10/21/98 PDT, N. N.M wrote: >I'm sure about it. You know, all of these discussions on TABS and SPACES >in this mailing list, started when I had some problems with my >syslogd.conf (you see, I've had some problems with logging for a long >time!!!) and sent a mail there. Then someone kindly noticed me about the >difference between spaces and tabs! vi syslog.conf / pattern not found? Surely you are certain. ;) Looking back on the thread you make no mention of what version or any other details, maybe that will help. Maybe a long shot, but compare the /usr/sbin/syslogd to the one on the 2nd CD. Is it possible the system was compromized? Not likely, but twice I have been paniced and not taking it for granted did an audit. To my relief and chagrin, both time were pilot error. Still I've done enough audits to not make light of the possiblity. Or something corrupted, do you have other servers setup in a similar fashion? >>Can you "logger -p lpr.info message" and get a message in >/var/log/messages? >>(Just verifying that syslogd is working.) > >Yes, it works. I also used the syslogd with switch -d (debug mode), as >it (syslogd -d) works, it mentions whenever it logs something, it >doesn't log anything realted to TELNET or FTP to "inetd.log" (the files >is supposed to log the inetd-related matters). You tried 'logger -p (telnet|ftp).info' too? Distribution ftpd? You inetd.conf has entries like: ftp stream tcp nowait root /usr/local/libexec/tcpd /usr/libexec/ftpd -l telnet stream tcp nowait root /usr/local/libexec/tcpd /usr/libexec/telnetd -h The /usr/local/etc/hosts.(allow|deny) has: ftpd: telnetd: Have you tried the following in inetd.conf: auth.*/path/to/inetd.log And inetd.log is at least mode 600 owned by root. If all this checks out, my preference would be wipe the system and start over again. This may not be an option, but is worth considering. luck! Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message