Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i was looking over my security logs and noticed this-
Aug 21 04:05:00 cerberus : Security warning : eth0 is in promiscuous mode.
Aug 21 04:05:00 cerberus : A sniffer is probably running on your system.
would this be me, or someone else?
if someone else, how do i make it so that my eth isn't in prom mode?
should i set up my snort to look at who might be wanting to hack me. *
i also noticed a couple of ip's that someone is trying to get into me as root. i've sent emails to the whois contacts that came up saying to leave me alone and that they might want to look at who is trying to do this. but since they are in different countries, around the world, i don't know if it has done much good.
I wouldn't be concerned about foreign IPs trying to get root on a public machine without evidence that the login was successful. If you run a public machine inevitably somebody will probe it to see if it's a soft target. If a packet sniffer is actually being run without your knowledge, then that might be evidence.
VMWare also sets the Ethernet interface to promiscious in some cases. Otherwise it's done by either a packet sniffer or configuring the interface directly, I think. If you have any doubt that a publically-accessible box is no longer safe, then unfortunately you have to assume that it isn't.
Try posting to the Security forum or a more specialised site for some expert advice, and please don't hesitate to disconnect the box.
Packet sniffers are particularly bad news - any data that wasn't passed in encrypted form has potentially been taken. For safety any passwords that have gone over the network to any destination (including remote Websites) would need to changed.
your thought on vmware, makes me think that my vnc is probably what is doing it. nothing was excepted on the attempts, so i'm not really worried in the sence to unplug, but it was just annoying to see the root attempts along with about 5 other common names.
no passwords are sent plaintext. only through ssh tunnels.
i did run an nmap with a couple of differing options to see some things. it says 'good luck!' on the security option. so i would think that it's ok.
You should absolutely be concerned if you're seeing that message and aren't running any apps that might use promiscuous mode. Something like tcpdump or Snort will nomally run in promiscuous mode and would generate that message. Take a look at the list of currently running process and see if you see anything that might be a)causing a false alarm or b)looks abnormal. You might want to download and run a scan with chkrootkit or rootkit hunter as well. I don't believe VNC would generate such a message; it should just run as a standard daemon listening on tcp port.
I don't think that VNC would set promiscious mode either. VMWare does clever stuff to set up networking between the virtual machines and the host machine, but regular apps and services don't change the interface mode.
capt
did the chkrootkit, says that nothing is deleted, yet this is only the first time that i have ran it. don't know if that makes a difference of not though.
i took a look at ps ax
that only things that i can see that might be keeping me promiscuous are-
prelude, snort variant
portmap, and
squid.
from what i have read, i would think out of those that it's squid. i'm probably wrong though. i get the security checks sent to me each day, this was the first time that i looked thoroughly at it. i just looked at it again today, and the world writable files that i found, i changed yesterday, yet they are still coming up once more. so i'm not sure what's up. i did a diff on them and they are different. yet it doesn't make sense that some of the files that are showing up are ones that i know have been altered since install, but haven't in a month.
Snort will put the interface in promiscuous mode. I don't know what you mean by Snort variant, but I'm assuming it runs in a similar manner to Snort. Squid shouldn't listen in promiscuos mode.
With regards to the chkrootkit output, what was the ouptut from the "checking sniffer" test? You can just do this if you are unsure: ./chkrootkit -q sniffer
Could you also post the output of: ip link show eth0
Ok, Prelude includes a packet sniffer for detecting malicious traffic. In order to sniff traffic, prelude and similar apps like snort, put the interface in promiscuous mode. So seeing the "eth0 is in promiscuous mode" message is to be expected and isn't "bad" by any means (it's just a normal part of how those apps work). You can test this quite easily by stopping prelude and any of it's processes and then re-running the 'ip link show eth0' command again. You should see the PROMISC flag dissappear.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.