I got some messages at /var/log I really do not understand
Yesterday I had a look into my messages at /var/log
this logfile is filled with messages I actually do not really understand. I added 4 lines and headed what I know. It seems its a message from shorewall , should be forwarded to net | had been dropped eth0 incomming | my computer | | source router| destination my IP| |protocol udp| Aug 11 20:19:06 localhost klogd: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.0.1 DST=192.168.0.3 LEN=342 TOS=0x00 PREC=0x00 TTL=64 ID=55 DF PROTO=UDP SPT=1900 DPT=52581 LEN=322 Aug 11 20:19:06 localhost klogd: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.0.1 DST=192.168.0.3 LEN=358 TOS=0x00 PREC=0x00 TTL=64 ID=56 DF PROTO=UDP SPT=1900 DPT=52581 LEN=338 Aug 11 20:19:06 localhost klogd: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.0.1 DST=192.168.0.3 LEN=352 TOS=0x00 PREC=0x00 TTL=64 ID=57 DF PROTO=UDP SPT=1900 DPT=52581 LEN=332 Aug 11 20:19:06 localhost klogd: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:23:7d:10:60:c9:c0:3f:0e:5f:04:ee:08:00 SRC=192.168.0.1 DST=192.168.0.3 LEN=340 TOS=0x00 PREC=0x00 TTL=64 ID=58 DF PROTO=UDP SPT=1900 DPT=52581 LEN=320 hmm, is there any documentation known how to interprete the messages and security.log in /var/log there is as well something strange in security.log Aug 11 11:15:10 localhost diff: Security Warning: change in network listening ports found : Aug 11 11:15:10 localhost diff: - Added network listening ports : tcp 0 0 *:mysql-im *:* LISTEN 2138/mysqlmanager Aug 11 11:15:10 localhost diff: - Added network listening ports : tcp 0 0 *:30020 *:* LISTEN 2116/python Aug 11 11:15:10 localhost diff: - Added network listening ports : tcp 0 0 *:mysql *:* LISTEN 2146/mysqld Aug 11 11:15:10 localhost diff: - Added network listening ports : tcp 0 0 localhost:7634 *:* LISTEN 2018/hddtemp Aug 11 11:15:10 localhost diff: - Added network listening ports : tcp 0 0 *:http *:* LISTEN 2433/httpd Aug 11 11:15:10 localhost diff: - Added network listening ports : udp 0 0 *:51474 *:* 2006/avahi-daemon: Aug 11 11:15:10 localhost diff: - Added network listening ports : udp 0 0 *:5353 *:* 2006/avahi-daemon: Aug 11 11:15:10 localhost diff: - Added network listening ports : udp 0 0 *:1900 *:* 2116/python Aug 11 11:15:10 localhost diff: - Added network listening ports : udp 0 0 *:43775 *:* 2116/python Aug 11 11:15:10 localhost diff: - Removed network listening ports : tcp 0 0 *:mysql-im *:* LISTEN 1947/mysqlmanager Aug 11 11:15:10 localhost diff: - Removed network listening ports : tcp 0 0 *:30020 *:* LISTEN 2006/python Aug 11 11:15:10 localhost diff: - Removed network listening ports : tcp 0 0 *:mysql *:* LISTEN 1973/mysqld Aug 11 11:15:10 localhost diff: - Removed network listening ports : tcp 0 0 localhost:7634 *:* LISTEN 1838/hddtemp Aug 11 11:15:10 localhost diff: - Removed network listening ports : tcp 0 0 *:http *:* LISTEN 2574/httpd Aug 11 11:15:10 localhost diff: - Removed network listening ports : udp 0 0 *:33537 *:* 2006/python Aug 11 11:15:10 localhost diff: - Removed network listening ports : udp 0 0 *:44818 *:* 1809/avahi-daemon: Aug 11 11:15:10 localhost diff: - Removed network listening ports : udp 0 0 *:5353 *:* 1809/avahi-daemon: Aug 11 11:15:10 localhost diff: - Removed network listening ports : udp 0 0 *:1900 *:* 2006/python I really don't know if this is a hack an attempt of a hack or just some kind of misconfiguration. robeich |
For the first, http://www.shorewall.net/FAQ.htm#faq17 or http://bandwidthco.com/whitepapers/f...g%20Format.pdf (PDF)
I've never seen anything like the second. |
Hm,after looking at the shorewall I found that this messages are probably caused by a so called fools firewall.
Nice, but I'm using a netgear3G/UMTS router where Internet is from 3USB stick ! Is this the meaning that netgear Firewall is "Eternity is wasted upon the likes of you." ? |
? that's part of my signature. it's irrelevant.
|
I tried another computer with Mandriva2008 and I don't got the fools firewall messages with this machine.
So I guess that messages are caused by the added and removed network listening ports ?! The ports used for MySQL should be 3306 and not 2146 (added) or 1973 (removed). How or better who can change that ports ? Am I right if I suppose that's a kind of a hack and I should wipe out and reinstall that computer. Will contact Mandriva Support to get more information. Meanwhile lots of thanks and will let you know what's Mandriva telling about that issue. robeich |
that unbelievable story goes on!!
If I logon to my netgear3G/UMTS with 3 mobile and typing into browser http://192.168.0.1 I will prompted for user and password, If i'm typing http://192.168.01 I'm in without prompted for user and password and as well i can edit from firewall settings onto password change !! ver strange so I decided to wipe out the computer a hp thinclient and reinstall Mandriva PowerPack2010 with high security ! That worked perfect. I did not had any strange added listening ports and the only alert at msec.log was wheel group empty ! I added my user to wheelgroup rebooted and there had been no more strange messages or msec.log or other log files. Yoohoo! But now it becomes weired ! I tried at bootup option to clear /tmp but every time I looked in again it unticked themself ! hmm. I added update media from mirrorlist what occurs a little bit slow , so I became suspicious and had a look again in msec.log and had a new entry permissions wrong at /dev should be 755 !? Okay I changed permisions back to 755 and had a look into /dev where I fount a red blinking entry f -> fd . I logged out and rebooted system and hereby I was suspicious again because I just changed the post delay at BIOS from 5sec to none but the post delay was still 5 sec. And now I cannot logon to system anymore user either root are not accepted !!! I wiped out again changed fs from ext4 to xfs and installing again ! I'm using now my old computer to edit this forum. Any idea what that could be . By the way, I was still able with new installation to login to my netgear router without user and password ! |
Quote:
Quote:
|
You are absolutely right with netgear router, I resetted to factory defaults.
I just downloaded the firmware upgrade and will reinstall. Many thanks !!! But with my installation at my hp thin client I got very bad experience if tried to reinstall Mandriva2010 x64 PowerPack. Actually I was suspicious if it had token more than 5 hrs to reinstall (the first and second installations had token about 2hrs). And now it stops while booting with lots of errormessages and even if I try normal or secure mode. Hmm, probably one of the two 8GB memory sticks are damaged plugged into secure usb ports?? I will go on later to figure out if or if not. To the added and removed network ports I still don't know who or better what added this ports for what reasons?? I really did not made any configuration changes or added or removed or updated anything. Any idea ? |
Quote:
Quote:
Before you add exceptions you need to find out more about the process but unfortunately that only works if the process is (still) in working order. Given a syslog line of "Aug 11 11:15:10 localhost diff: - Added network listening ports : udp[0] 0 0 *:43775[1] *:* 2116[2]/python" you notice the protocol[0], port[1] and PID[2]. Given a PID try 'lsof -Pwnp [PID] -ai'. (Without Process Id try 'lsof -Pwnai' or 'netstat -antupe'.) Given a port number try '/sbin/fuser -n [PROTOCOL] [PORT_NUMBER]' (and given a service name (/etc/services) try '/sbin/fuser -n [PROTOCOL] [SERVICE_NAME]'). |
I want to say thanks for the help to figure out that my security concerns are 3 different issues not related together.
2 issues (a reset to factory defaults of my router) and a dodgy memory stick at my Hp thin client are solved, the third issue with the problems after downloading the update mirrors I'm in contact with Mandriva. Now I'm busy with 'rtfm' of the links I got from unSpawn and what i found at /usr/share/doc . The last I want is to make a suggestion: if at /var/log/messages behind every message was a link, for example the first issue at my initial question like: more info at: /usr/share/doc/shorewall and /etc/shorewall man shorewall.conf will more user be able to help themself. thousands thanks again and I keep watching linuxquestions.org robeich |
All times are GMT -5. The time now is 01:29 AM. |