Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to make sense of what I am seeing in my logs but I am not finding the answers I am looking for via google. Most of the entries in my logs look like the ones below. The problem is that I don't understand what these lines mean.
I get what some of the parts mean like 'inbound, IN, src, etc. Let's take TOS=0x00, I get that it is the type of service, http or what ever, but what service is associated with 0x00? I assume that LEN is length, TTL is time to live. Don't know PREC, ID, DF, PROTO, LEN, DPT. I haven't been able to find the page I saw one day that had a basic description, though limited, of what some of them were. Does any one have a link to such a page?
I also notice that in the first example there is a mac that is 14 pairs long. All of the mac's I have had to deal with are much shorter than that. Is this a spoofed mac? Or maybe part of the new ip6?
Most of the time these hourly emails are 3 to 5k in size but some times they are 15 to 20k. Usually there are 2 or 3 comps accessing the web through my router but there may be twice that many at any one time. I suppose a little info about the router is in order. Debian Lenny Up to date as of last week. Firestarter built the firewall but their is some kind of bug in the gui that causes the gui to crash all the time but the rules keep working and so far I have had no problems that I know of.
The biggest question is 'Are these log entries something to be concerned about or not?'
If not, then how do I stop them from filling up my logs?
These entries are common iptables/netfilter logs. You made me to realize that it's not easy to find a complete documentation about the log format, or at least I was not able to find it out. Anyway, I found this page which can answer some of your questions (the length of the MAC address, for example).
As for the first log line it's inbound UDP with both ports are ephemeral, so there's not much to say about impact unless you know what service it was attached to (think output of 'netstat -anupe'). The second line at least has port 138 so 'getent services 138' should show it's SMB-ish traffic. Also note that you can use for instance the Dshield database to see if incoming packets are from well-known offenders. Finally for entries that don't reveal typical scan flags, scanning behaviour or use known ports you don't get much info unless you examine the payload. That could easily be done running an IDS like Snort.
Wrt logging, if you have it you probably have it for good reasons, so turning it off for arbitrary reasons like it being a nuisance is not what I would suggest. Better tweak *what* you log.
Thanks colucix that really helped with the mac thing and should help with some of the others too when I get a chance to dig into it.
x terminat or 3 Thanks I hadn't thought about looking at the wiki. I still am not getting my mind around how the whole number thing works.
unSpawn I ran 'netstat -anupe' but I don't know how to use that info to parse the log file to find a connection between the two. I am assuming that I would need to use current entries in the log file to match up with the results of the command.
'getent services 138' yielded 'netbios-dgm 138/tcp' but there again I don't know what to make of it except that in this instance tcp is using port 138.
Am I understanding that this logging is wrt logging? I did not enable it, so it must have been done by one of the security packages I installed, firestarter, snort, logcheck, or one of the others that I can't recall at the moment.
I am not sure that I want to change the way the logs are done right now. What I really want is to learn to understand what they are telling me. These log entries came from the second linux router I set up and I am trying to become reasonably competent in maintaining one while I set up the next one, which will be my production unit.
I can tell by some of these entries that they are related to activity originating form my network. Is it possible to tell from these type of entries if this is someone trying to break into my router?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.