Yesterday I had a look into my messages at /var/log
this logfile is filled with messages I actually do not really understand.
I added 4 lines and headed what I know. It seems its a message from shorewall ,

should be forwarded to net
| had been dropped eth0 incomming | my computer | | source router| destination my IP| |protocol udp|
Aug 11 20:19:06 localhost klogd: Shorewall:net2fwROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.0.1 DST=192.168.0.3 LEN=342 TOS=0x00 PREC=0x00 TTL=64 ID=55 DF PROTO=UDP SPT=1900 DPT=52581 LEN=322
Aug 11 20:19:06 localhost klogd: Shorewall:net2fwROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.0.1 DST=192.168.0.3 LEN=358 TOS=0x00 PREC=0x00 TTL=64 ID=56 DF PROTO=UDP SPT=1900 DPT=52581 LEN=338
Aug 11 20:19:06 localhost klogd: Shorewall:net2fwROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.0.1 DST=192.168.0.3 LEN=352 TOS=0x00 PREC=0x00 TTL=64 ID=57 DF PROTO=UDP SPT=1900 DPT=52581 LEN=332
Aug 11 20:19:06 localhost klogd: Shorewall:net2fwROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.0.1 DST=192.168.0.3 LEN=340 TOS=0x00 PREC=0x00 TTL=64 ID=58 DF PROTO=UDP SPT=1900 DPT=52581 LEN=320

hmm, is there any documentation known how to interprete the messages and security.log in /var/log

there is as well something strange in security.log

Aug 11 11:15:10 localhost diff: Security Warning: change in network listening ports found :
Aug 11 11:15:10 localhost diff: - Added network listening ports : tcp 0 0 *:mysql-im *:* LISTEN 2138/mysqlmanager
Aug 11 11:15:10 localhost diff: - Added network listening ports : tcp 0 0 *:30020 *:* LISTEN 2116/python
Aug 11 11:15:10 localhost diff: - Added network listening ports : tcp 0 0 *:mysql *:* LISTEN 2146/mysqld
Aug 11 11:15:10 localhost diff: - Added network listening ports : tcp 0 0 localhost:7634 *:* LISTEN 2018/hddtemp
Aug 11 11:15:10 localhost diff: - Added network listening ports : tcp 0 0 *:http *:* LISTEN 2433/httpd
Aug 11 11:15:10 localhost diff: - Added network listening ports : udp 0 0 *:51474 *:* 2006/avahi-daemon:
Aug 11 11:15:10 localhost diff: - Added network listening ports : udp 0 0 *:5353 *:* 2006/avahi-daemon:
Aug 11 11:15:10 localhost diff: - Added network listening ports : udp 0 0 *:1900 *:* 2116/python
Aug 11 11:15:10 localhost diff: - Added network listening ports : udp 0 0 *:43775 *:* 2116/python
Aug 11 11:15:10 localhost diff: - Removed network listening ports : tcp 0 0 *:mysql-im *:* LISTEN 1947/mysqlmanager
Aug 11 11:15:10 localhost diff: - Removed network listening ports : tcp 0 0 *:30020 *:* LISTEN 2006/python
Aug 11 11:15:10 localhost diff: - Removed network listening ports : tcp 0 0 *:mysql *:* LISTEN 1973/mysqld
Aug 11 11:15:10 localhost diff: - Removed network listening ports : tcp 0 0 localhost:7634 *:* LISTEN 1838/hddtemp
Aug 11 11:15:10 localhost diff: - Removed network listening ports : tcp 0 0 *:http *:* LISTEN 2574/httpd
Aug 11 11:15:10 localhost diff: - Removed network listening ports : udp 0 0 *:33537 *:* 2006/python
Aug 11 11:15:10 localhost diff: - Removed network listening ports : udp 0 0 *:44818 *:* 1809/avahi-daemon:
Aug 11 11:15:10 localhost diff: - Removed network listening ports : udp 0 0 *:5353 *:* 1809/avahi-daemon:
Aug 11 11:15:10 localhost diff: - Removed network listening ports : udp 0 0 *:1900 *:* 2006/python

I really don't know if this is a hack an attempt of a hack or just some kind of misconfiguration.
robeich

For the first, http://www.shorewall.net/FAQ.htm#faq17 or http://bandwidthco.com/whitepapers/f...g%20Format.pdf (PDF)

I've never seen anything like the second.

1 members found this post helpful.

Hm,after looking at the shorewall I found that this messages are probably caused by a so called fools firewall.
Nice, but I'm using a netgear3G/UMTS router where Internet is from 3USB stick !
Is this the meaning that netgear Firewall is "Eternity is wasted upon the likes of you." ?

? that's part of my signature. it's irrelevant.

I tried another computer with Mandriva2008 and I don't got the fools firewall messages with this machine.
So I guess that messages are caused by the added and removed network listening ports ?!
The ports used for MySQL should be 3306 and not 2146 (added) or 1973 (removed).
How or better who can change that ports ? Am I right if I suppose that's a kind of a hack and I should
wipe out and reinstall that computer. Will contact Mandriva Support to get more information.
Meanwhile lots of thanks and will let you know what's Mandriva telling about that issue.
robeich

that unbelievable story goes on!!
If I logon to my netgear3G/UMTS with 3 mobile and typing into browser http://192.168.0.1 I will prompted for user and password,
If i'm typing http://192.168.01 I'm in without prompted for user and password and as well i can edit from firewall settings onto password change !!
ver strange so I decided to wipe out the computer a hp thinclient and reinstall Mandriva PowerPack2010 with high security !
That worked perfect. I did not had any strange added listening ports and the only
alert at msec.log was wheel group empty ! I added my user to wheelgroup rebooted and there had been no more strange messages or msec.log or other log files. Yoohoo!
But now it becomes weired !
I tried at bootup option to clear /tmp but every time I looked in again it unticked themself ! hmm.
I added update media from mirrorlist what occurs a little bit slow , so I became suspicious and had a look again in msec.log and had
a new entry permissions wrong at /dev should be 755 !?
Okay I changed permisions back to 755 and had a look into /dev where I fount a red blinking entry f -> fd .
I logged out and rebooted system and hereby I was suspicious again because I just changed the post delay at BIOS from 5sec to none but the post delay was still 5 sec.
And now I cannot logon to system anymore user either root are not accepted !!!
I wiped out again changed fs from ext4 to xfs and installing again !
I'm using now my old computer to edit this forum.
Any idea what that could be .
By the way, I was still able with new installation to login to my netgear router without user and password !

The Mandriva security package or "msec" for short.


It's just a listing of network ports in use by services. Use your 'msecgui' to configure any exceptions, this should provide howto information. Your Netgear router accepting management logins without a password may be due to 0) factory defaults, 1) you configuring it that way or 2) your browser saving account info and submitting it on login. This is a different issue and has nothing to with compromising a machine. Note that no evidence of a compromise was presented so at this point reinstalling the OS does not solve anything.

1 members found this post helpful.

You are absolutely right with netgear router, I resetted to factory defaults.
I just downloaded the firmware upgrade and will reinstall.
Many thanks !!!
But with my installation at my hp thin client I got very bad experience if tried to reinstall Mandriva2010 x64 PowerPack.
Actually I was suspicious if it had token more than 5 hrs to reinstall (the first and second installations had token about 2hrs).
And now it stops while booting with lots of errormessages and even if I try normal or secure mode.
Hmm, probably one of the two 8GB memory sticks are damaged plugged into secure usb ports?? I will go on later to figure out if or if not.
To the added and removed network ports I still don't know who or better what added this ports for what reasons??
I really did not made any configuration changes or added or removed or updated anything.
Any idea ?

Thanks for confirming.


First of all network ports are in use by subsystems (say Xorg) the system needs itself or for services it provides (for instance your LAMP web stack components). In addition using security tools like msec may (I don't use msec) change service configuration (or you may edit configuration files manually or through any interface) so that for instance MySQL only listens on local unix sockets instead of using TCP. In most cases the service and it's port(s) will be constants (see /etc/services for port assignments) but its process Id will change (due to reboots, service restarts or log rotation). Checking msec output this appears to be the case for mysqlmanager, the python process running on TCP/30020, mysqld, hddtemp, httpd and the python process running on UDP/1900, but not for avahi-daemon and the python process running on UDP/33537 on Aug 11th 11:15:10.

Before you add exceptions you need to find out more about the process but unfortunately that only works if the process is (still) in working order. Given a syslog line of "Aug 11 11:15:10 localhost diff: - Added network listening ports : udp[0] 0 0 *:43775[1] *:* 2116[2]/python" you notice the protocol[0], port[1] and PID[2]. Given a PID try 'lsof -Pwnp [PID] -ai'. (Without Process Id try 'lsof -Pwnai' or 'netstat -antupe'.) Given a port number try '/sbin/fuser -n [PROTOCOL] [PORT_NUMBER]' (and given a service name (/etc/services) try '/sbin/fuser -n [PROTOCOL] [SERVICE_NAME]').

I want to say thanks for the help to figure out that my security concerns are 3 different issues not related together.
2 issues (a reset to factory defaults of my router) and a dodgy memory stick at my Hp thin client are solved, the third issue
with the problems after downloading the update mirrors I'm in contact with Mandriva.
Now I'm busy with 'rtfm' of the links I got from unSpawn and what i found at /usr/share/doc .
The last I want is to make a suggestion: if at /var/log/messages behind every message was a link, for example the first issue at my initial question like:
more info at: /usr/share/doc/shorewall and /etc/shorewall man shorewall.conf
will more user be able to help themself.
thousands thanks again and I keep watching linuxquestions.org
robeich