[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

20020521: ADDE logging question (cont.)

>From: Gilbert Sebenste <address@hidden>
>Organization: NIU
>Keywords: 200205211521.g4LFLpa28817 McIDAS Linux ADDE

Gilbert,

re: what machine are we talking about (e.g., weather2)

>Weather.admin.niu.edu, sorry!

OK, this makes more sense now.  weather2 is hardly being used at all.

re: what amount of logging do you consider "tons"

>A line every few minutes.

I took the liberty of logging onto weather and see what you mean.  The
activity by one user - not a Unidata McIDAS site - is intense!

Since I never setup ADDE logging on weather, I decided to go ahead and
do it so we could see that this user is up to.  The steps in doing this
were (for the tracking system):

<login as 'mcidas'>
edit ~mcidas/.mcenv and add:

ADDE_LOGGING=YES
export MCDATA MCPATH MCGUI MCTABLE_READ MCTABLE_WRITE PATH ADDE_LOGGING

cd workdata
redirect.k ADD SERVER.LO\* \"/home/ldm/logs
touch /home/ldm/logs/SERVER.LOG
chmod 666 /home/ldm/logs/SERVER.LOG

Now we can use the ADDE logging file to see what the user at
204.76.133.240 is up to:

weather-niu Mci-32> addeinfo.k TRANS
ADDEINFO: Start
204.76.133.240  user lwpr   1920   .02 2002141 182456 182456 
ALA.RTIMAGES/=VERSION
204.76.133.240  user lwpr   1920   .02 2002141 182525 182525 
ALA.RTIMAGES/=VERSION
204.76.133.240  user adir  12200   .02 2002141 182553 182553 RTIMAGES/GE-IR
204.76.133.240  user lwpr   1920   .02 2002141 183124 183124 
ALA.RTIMAGES/=VERSION
204.76.133.240  user lwpr   1920   .01 2002141 183153 183153 
ALA.RTIMAGES/=VERSION
204.76.133.240  user adir  12200   .03 2002141 183221 183221 RTIMAGES/GE-IR
ADDEINFO: Done

It looks like the user has some sort of automated process that is going
out and putting up loops of GOES-East IR images.

A check on who this user is is only partly successful:

(laraine.unidata.ucar.edu) 4690 % nslookup 204.76.133.240
Server:  laraine.unidata.ucar.edu
Address:  128.117.140.62

*** laraine.unidata.ucar.edu can't find 204.76.133.240: No response from server

(laraine.unidata.ucar.edu) 4692 % awhois 204.76.133.240
EchoStar Communications Corporation (NETBLK-ECHOSTAR-NET)
   5701 S. Santa Fe Drive
   Littleton, CO 80120
   US

   Netname: ECHOSTAR-NET
   Netblock: 204.76.128.0 - 204.76.133.255

   Coordinator:
      Piper, Scott  (PS40-ORG-ARIN)  address@hidden
      303-799-8222
Fax- (303) 649-4940

   Domain System inverse mapping provided by:

   NS-1.ECHOSTAR.COM            205.172.144.20
   NS-2.ECHOSTAR.COM            205.172.144.21
   NS1.ECHOSTAR.COM             204.76.131.145

   Record last updated on 27-Dec-1999.
   Database last updated on  20-May-2002 20:01:13 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

I assume that we could send email to the contact listed above and find
out who the user of your ADDE services is.

re: acting as a community server

>Absolutely! The more the merrier. But I just don't want those cluttering 
>my secure log file.

Got it.

re: ADDE logs to its own files

>Right, which is why I don't want them in the secure log.

re: ADDE server logging should be rotated once per week

>Yep. But weather.admin.niu.edu is an entirely different story!

Right.  I set this up on weather for you a couple of minutes ago.

re: modify /etc/xinetd.d/mcserv and /etc/xinetd.d/mccompress to cut
down on /var/log/secure logging

>OK, I'll do that when I get back.

I will play with this this afternoon.

re: figuring out who the user is

>Ok, will do. Thanks!!! BTW, I do a reverse DNS on the IP address that is 
>grabbing stuff from me frequently and in the process, discovered that 
>nslookup can't find a server anymore. Will have to contact RedHat about 
>that...

Interesting...

OK, as a wrap-up, I will be:

o finalizing ADDE server logging on weather
o trying out the mods to /etc/xinetd.d/mcserv|mccompress

Tom

>From address@hidden Wed May 22 09:17:50 2002
>Subject: Re: 20020521: ADDE logging question (cont.)

Hi Tom,

re: one user's ADDE activity is intense

>Yep!
 
re: looks like an automated process putting up loops

>That's weird. Whatever. As long as he/she's not hacking in, I'm jiggy with 
>it.
 
re: who the user might be

>I wonder if it is NASA or something like that? Betcha it's someone I know 
>and someone who I wouldn't mind giving the data too. I could always shut 
>them down in /etc/hosts.deny, and see if they complain!

>OK. And when I get back, I'll try the upgrade of LDM-McIDAS. Not usre if 
>it looks fun, but what the hey.