Hi,

can anyone tell me

1.What is promiscuous mode of LAN card?

2. I am using linux RedHat 6.2 (kernel: 2.2.14-12) as a NAT server and this box has two lan card configured with it. recently i m experiencing with an strange behavior with this server. if i install the linux os ... after running 20-72 hours (usually..., within this time.) a message shows up like following:

eth0: promiscuous mode enabled

nat login# locked: connect from unprivileged port: x.x.x.x:4876 <4> locked
:accept failed (error)!
locked: failed (error)!


After this message, i can't perform followings:

# I can't issue "clear" command...os says that my terminal lose cursor movement ability
# some module dependency problem occur..and if i restart the server..it can't start up for this.
# and if the server start up without module dependency problem..it scans Hardisk..as if it was shut down forcefully...

every week i m facing this problem..and i got to reinstall the system. can anyone plz help me..what should i do to prevent it?

Thanks

Disconnect the box from the network, do not back it up, do not use it for work and post some actual error messages.

1.What is promiscuous mode of LAN card?
Means listening to traffic that isn't destined for your network address.
Cards in general can be put in promiscuous mode in two ways, by ifconfig and alike and by sniffers.
Legitimate sniffers are for instance tcpdump or IDSes like Snort, Prelude etc etc.
If you didn't put the device in promiscuous mode by specifying it in the network config for the device or running a legitimate sniffer, then there is a possibility this is a sign of a breach of security.



# I can't issue "clear" command...os says that my terminal lose cursor movement ability
Please post the actual error message.


# some module dependency problem occur..and if i restart the server..it can't start up for this.
# and if the server start up without module dependency problem..it scans Hardisk..as if it was shut down forcefully...
Post the actual error message.
Run "ps axwww 2>&1|tee /tmp/ps.log" and post the output when the HDs are crunching.
Compile on another box and run Chkrootkit.
If your distro's package management system uses anything like md5sums to check integrity (or if you run a filesystem integrity checker like Aide, Samhain or tripwire) now's the time to check.
Manually go tru your systems logfiles.
Manually go tru application logfiles.
Check your authentication db for new passwd entries or changed ones.
Check for setuid or setgid binaries.
Check for confguration files or binaries in weird locations (/dev, /<dir>...).


every week i m facing this problem..and i got to reinstall the system. can anyone plz help me..what should i do to prevent it?
Basically you will need to harden the box. This means:
- only install what you need (mind the purpose of the box: servers dont need compiler tools installed, network devices like fw's, routers, log servers, etc etc, shouldnt have publicly accessable services running except those necessary for management over encrypted channels),
- lock down the kernel by reinforcing it with Grsecurity, LIDS or alike,
- restrict and limit system and user account access to the filesystem and network,
- restrict and limit applications access to the filesystem and exposure to the network by running them under a lesser-privileged account, having 'em do proper authentication,
- restrict access to the box using features of authentication methods like PAM supports, Tcp wrappers (OpenSSH can use it), application specific configs (like Xinetd), and the firewall,
- make sure you audit the box regularly for configuration errors, loopholes and changes to the filesystem, etc etc. More stuff is in several threads here in the Linux - Security forum (do a search) and in the LQ FAQ: Security references, see post #1 under "hardening".

If you need help, state the purpose of the box and the SW it should be running, how its placed in your network etc etc. The more details the better.