Shorewall log - please help interpret
 

I am getting quite a lot of entries in /var/log/syslog like this one:

The first part of the MAC address is my Ethernet port, but the second part (before the 2-byte frame type) does not quite match my router: the last 2 bytes are different.
Who does it come from then?

Also, /var/log/messages has this:
Sounds a bit scary, so I'd much appreciate the help of more experienced members.

Also, is there a recommended way to harden my PCLinuxOS?

Thank you.

Without knowing what netmask you have, it is impossible to say what that could be. Neither src nor dst port
helps identify the service raising this packet nor what service it expects to head to. However it is a SYN packet and so it appears to be an attempt by your router to initiate a TCP session on these ports.

Most routers have a firewall in them these days so I suggest you take a look at that to drop any inbound unrelated unestablished connections.

xscreensaver is a screensaver. Same deal as on Windows but with better graphics. It's fairly normal to have that on a
workstation although a lot of people don't run it preferring to leave the terminal to it's power management system.

I have no idea what sperl5.8.8 is but a quick google indicates that mtink and ttink are ink monitoring programs for an
Epson(?) printers.

Can you recall installing such software about the time these messages started to appear?

Any intrusion detection system merely reports changes to files - via their mtime, checsums or whatever methods they choose to use. It is perfectly legitimate to update and expand your system but an IDS will provide false positives in this situation.

You need to update your IDS database to say these files are okay if you know they are okay. If you suspect they are not okay then you can try removing them.

There is plenty of information out there about hardening various Linux. I am sure most will apply to your distro.

Regards

L.

lesleyb,
Thanks a lot for the detailed response.

My router is a Fritz!Box, and it turned out it has SEVEN MAC addresses, the culprit being one of them. So I can relax on that count.

mtink, ttink: I in fact have an Epson printer... I am new to Linux, and just started checking the logs, so these programs may have been reported from the start.

sperl turned out to be suidperl.

I don't know how to; I am using Shorewall.
I have read around a bit and Bastille looks good, but I am not sure I can just use it on PCLinuxOS.

Well you need to know what program is reporting those file changes. Shorewall is a netfilter front end so it doesn't log file changes.

If you know you have installed those programs and you know the program that is monitoring your files then you should be able to use that program to update the database it reads from.
That will stop the errors referring to mtink, ttink and sperl appearing in syslog but you need to be sure you added them and expected the changes to appear. The whole idea of an IDS is that it monitors changes to files and reports them to you so that you can decide if the change is okay or needs your attention. Always be careful not to add anything to the IDS database you don't expect to have to add.
IDS's can be tedious when setting up a new system but once the system is stabilised they are less work.

I don't know PCLinuxOS at all but it appears to have an IDS system of some sort running. Perhaps a PCLinux specific forum might help?


Regards

Lesley