The Connection Refused Audit Message indicates that an incoming TCP/IP connection attempt was not allowed.
If the node refuses a connection, this message is generated. Failures of inbound connections can result from a variety of reasons, which are described in the entry below for the Result field.
Code | Field | Description |
---|---|---|
SEID | Service Identifier | The unique identifier of the service to which the connection was attempted. Values of interest include:
|
CNDR | Connection Direction | Indicates that the connection was opened by a remote host: INBO: connection initiated by a remote host connecting to the node |
SVIP | Destination Service Port | The port to which the connection attempt was made. |
DAIP | Destination IP Address | The IP address to which the connection attempt was made (remote IP address). |
SAIP | Source IP Address | The IP address from which the connection attempt was made (local IP address). |
CNID | Connection Identifier | The unique identifier of the attempted connection. |
RSLT | Result Code | Why the attempted connection was refused: IPAR: inbound IP address was not from allowed range ATHF: TCP/IP connection-level authentication failure |
For incoming connections, this audit message means that a connection was not successfully established at the lowest level due to a security violation. When this message is received, the corresponding user was not able to access the service and the TCP/IP Connection was closed. The most common reporting use of this message is to detect unauthorized attempts to access services running on the system from foreign IP addresses that have not been explicitly given access to the service.