LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 06-28-2001, 08:30 AM   #1
bfloeagle
Member
 
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158

Rep: Reputation: 30
Question Console Messages


I posted a question about this a long time ago, http://www.linuxquestions.org/questi...=&threadid=887

But now it has come back to haunt me. I now have cable, RH 7.1, and using iptables instead of ipchains. Somebody really really dumb (or extremely smart) on my subnet is trying to connect to a single port on my broadcast ip. It may be a port scan or just someone not know how to run a server properly. As expected, they are being denied by my firewall. So I am not worried about being hacked (just yet). But the DENY messages will not stop coming up on my console. The problem is that this person is continuously trying to connect to this port. Somehow they are rotating throught about 3000 udp ports trying to connect to this one port. So, for every port they try to connect from, I get a deny message. 1 every 3 seconds....... but for the past month!!!! Yes, my logs are HUGE. This is obviously cluttering up my console and I cannot use it because I can never see what I am typing and what directory I am in. So.......

I have removed every reference to /dev/console in my syslog.conf. The only thing in there that I can see that might cause this is "*.emerg *" but I do not think DENY messages are emergency messages from the kernel. Anyone know why these messages would still be popping up on my screen? (The only way I can get them to stop is to turn off loggin in gShield, which I do not want to do.)

Andy
 
Old 06-29-2001, 01:33 AM   #2
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
Do you have any daemons like mon or portsentry?
 
Old 06-29-2001, 02:43 AM   #3
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
Maybe the solution is to get the actual problem solved. Most (all?) ISPs actively pursue members that run portscans against other members (as well as anybody on the internet). It's boilerplate text on most AUP (Accetible Use Policy) agreements on your (and the bad guy's)

Copy the logs, trim them for brevity, and mail them to whoever is responsible (abuse@your.isp).

Make sure the date and times are accurate so that they can find who had the IP address lease.

I've sent two out so far this year and although I never got anything more than an autoresponse mail message, the problems went away quickly.
 
Old 06-29-2001, 06:37 AM   #4
bfloeagle
Member
 
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158

Original Poster
Rep: Reputation: 30
DavidPhillips, no I do not have those daemons running. Sorry for being ignorant, but whay do you ask? I'm not sure what mon does and I was a little weary about setting up portsentry to make a default route to no where blocking the host because a person can spoof and popular website or DNS server or anything and I would be out of luck...

mcleodnine, I have already done that but was not to pleased by what I found. Yes, my cable company does not allow port scans and the do have a nice system for reporting, but I fear I may be overlooked due to the large customer base. Let me put it this way. Their system sends an auto messages back to you with a ticket number saying they got your request. My first attempt just asked what to do. I got a ticket number and the auto message mentioned to include the logs if I didn't. So, I sent the email again with the logs about an hours later. My trouble ticket was 9000 numbers higher than my first one. BTW, I have Adelphia Powerlink. My guess is that if they DID get to it, it would be a month or so down the line...

You mentioned you got an auto response message too. Mind if I ask what ISP you are using?

Andy
 
Old 06-29-2001, 10:31 AM   #5
bfloeagle
Member
 
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158

Original Poster
Rep: Reputation: 30
Talking I spoke too soon!!!!

I must have spoke too soon. Right after I posted the last messages, I decide to check my logs. There has not been one instance of that message during the entire night. And that is even with logging all messages at debug level. I guess Adelphia s ALOT quicker that I thought. But now something else has come up, thankfully not so annoying.

On the screen again, as well as in my logs the following comes up every minute or so:

Jun 29 11:12:18 Voyager kernel: gShield (default drop) IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:f0:4b:f0:51:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=256 PROTO=UDP SPT=68 DPT=67 LEN=308

From what I think I know, this messages is being generated by my machine trying to connect to a bootp (port 67 is a bootps and port 68 is a bootpc port) server on Adelphia's network. The only thing that bothers me is that the MAC address matches NEITHER of my ethernet cards... This is why I think something else may go on.

Does anyone know how to properly read IPTables logs or a good source where I can learn more about the logs?

Andy
 
Old 06-30-2001, 12:37 AM   #6
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
I was just thinking that maybe one of these monitoring programs or others combined with checklog could be emailing thousands of log files to your root mailbox©

I guess there is no way to block everything and still be able to get on the internet, but I think portsentry would help stop the port scans©
 
Old 06-30-2001, 02:41 PM   #7
bfloeagle
Member
 
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158

Original Poster
Rep: Reputation: 30
Nope..... But still getting messages

The logs are only in the log files, I am not getting any emails in my root account. I'll mess around with it some more and let you guys know what I find. If I find anything....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh console broadcast messages time112852 Linux - Software 2 11-23-2005 02:45 PM
Strange messages in console kenneho Linux - Networking 6 08-12-2005 03:23 PM
console logging messages srns Red Hat 2 09-13-2004 04:18 PM
Console messages Stephanie Linux - General 4 08-15-2003 03:33 PM
Strange console messages fweaver Linux - Security 4 12-27-2002 09:29 AM


All times are GMT -5. The time now is 03:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration