LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-14-2002, 09:26 AM   #1
bfloeagle
Member
 
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158

Rep: Reputation: 30
Question Strange Security Log....


The following entry is popping up every couple of seconds in my logs...

May 14 10:17:45 voyager kernel: gShield (default drop) IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:90:96:12:19:60:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=255 ID=16963 PROTO=UDP SPT=68 DPT=67 LEN=556

It is the same MAC address every time. Same ports too. The only thing thats changes frequently is the LEN value.

I use cable internet so my first guess would be that this is coming from the DHCP server (from the src 0.0.0.0 and the dst 255.255.255.255), but I don't think it's trying to renew my lease every couple of seconds...

I am running RH 7.2 and using Adelphia as my cable provider. I'm using gShield to configure an IPTables firewall. Running Kernel 2.4.9-31 (I think... It's a 2.4.* kernel though...).

Any idea what those messages mean (besides that my computer is blocking their access) and how I can get my logs to stop filling up with them?



Thanks!
Andy
 
Old 05-14-2002, 11:52 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Then you're logging to the wrong logfile :-]

You're right. It's incoming UDP from source 0.0.0.0 (dhcp client w/o IP address) port 68(bootpc) to dest 255.255.255.255 (broadcast) port 67(bootps), so it's prolly a DHCP client looking for a reply from the server.
Blocking it should be like:
iptables -A INPUT -i eth0 -p udp --sport 67 --dport 68 -j DROP
iptables -A OUTPUT -o eth0 -p udp --sport 68 --dport 67 -j DROP
Don't forget to tweak your (DROP) target if it's got logging enabled.
 
Old 05-14-2002, 12:37 PM   #3
bfloeagle
Member
 
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158

Original Poster
Rep: Reputation: 30
Thanks! I'll give that a shot.

Last edited by bfloeagle; 05-14-2002 at 01:06 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SQUID strange security issue ivanatora Linux - Software 2 05-06-2005 12:55 PM
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 01:21 PM
YUM causing strange /var/log/security errors???? zepplin611 Linux - Security 4 07-20-2004 06:10 PM
Strange xdm log in screen and can't log in with it? Erik Plaggenmar Linux - Software 4 06-05-2004 05:07 PM
Strange security message in log fiile magyartoth Linux - Security 3 02-09-2002 08:58 AM


All times are GMT -5. The time now is 02:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration