Re: questionable content in /var/log/messages
As you may see that my ssh server runs on 1025 it is on purpose. I am wondering why the --MARK-- s are there.
The "MARK" message is simply a message automatically logged every 20 minutes. That way if syslog dies for some reason, you'll see a gap in the "MARK" messages. In systems that don't use that feature, it can be very hard to tell if logging has failed just by looking at the logs.
From what I understand the '\005' is command trying to be executed and obviously the ip is remote.
Not entirely sure what that message is, but I wouldn't be surprised if it's a result of port scanning. A number of scanners like nmap will do service interrogation to identify daemon versions and services running on alternative ports. If the scanner tried a protocol (like nfs), it could cause those errors. There are also a number of trojans that use that as a default port, so it could also be someone trying to find compromised machines. It might be helpful to run tcpdump for a while and capture some packets in order to more accurately identify the cause.
Also in the log it shows when I connected with ssh and says I connect from a different port like in the 3000s why is that when I specified to connect on port 1025?
Could you post an example? I believe you're seeing the source port that you are connecting with, not the destination port. The source port will be variable and is usually >1023 (the actual ranges used are set in /proc/sys/net/ipv4/).
|