Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If eth0 is your public facing interface, do you have port 67 enabled (e.g. DHCP server bound to this interface without a firewall)?
It looks to me like it is either a mis-configuration that causes the DHCP to log as eth0 or some form of spoofed IP address to find a vulnerability in your (public facing?) DHCP server; possibly someone has this IP behind a router with NAT and tried connecting to your DHCP server and this is what showed up in the logs.
What is interesting is that the address (192.168.1.196) only works on a LAN and you are seeing this on a public NIC, which makes me think that it is a device behind a router, identifying itself as 192.168.1.196.
If eth0 is your public facing interface, do you have port 67 enabled (e.g. DHCP server bound to this interface without a firewall)?
It looks to me like it is either a mis-configuration that causes the DHCP to log as eth0 or some form of spoofed IP address to find a vulnerability in your (public facing?) DHCP server; possibly someone has this IP behind a router with NAT and tried connecting to your DHCP server and this is what showed up in the logs.
What is interesting is that the address (192.168.1.196) only works on a LAN and you are seeing this on a public NIC, which makes me think that it is a device behind a router, identifying itself as 192.168.1.196.
Yes, I am getting static address from my ISP over dhcp protcol, so they sent me public ip I use over dhcp over eth0, but ISPs dhcp server I am getting address from is not in private set of ip addresses, it is also public address.
I had to change my eth0 MAC address to one ISP accept ( I have some router they gave me, but I do not use it, only its MAC address )
The address 192.168.1.196 is not used by any host in private network.
What here confuses me is, I am seeing in logs
dhclient: DHCPREQUEST on eth0 to 192.168.1.196 port 67
what is same as in case I run
dhclient eth0, except it send then request to 255.255.255.255 ( broadcast as some of you wrote ).
I am curious to find out what from this box initiate above dhclient request
What does the entire transaction chain look like? For example, here is one from my DHCP server:
Code:
Oct 14 15:53:32 server dhcpd: DHCPDISCOVER from 30:7c:30:fc:98:75 (BLACKBERRY-5D92) via br0
Oct 14 15:53:33 server dhcpd: DHCPOFFER on 192.168.0.23 to 30:7c:30:fc:98:75 (BLACKBERRY-5D92) via br0
Oct 14 15:53:33 server dhcpd: DHCPREQUEST for 192.168.0.23 (192.168.0.49) from 30:7c:30:fc:98:75 (BLACKBERRY-5D92) via br0
Oct 14 15:53:33 server dhcpd: DHCPACK on 192.168.0.23 to 30:7c:30:fc:98:75 (BLACKBERRY-5D92) via br0
In this case, it is correctly identifying the interface (br0), it provides the involved IP addresses, the MAC addresses and shows the chain of the events. Does this 192.168.1.196, in your case, get an IP or does it get a reject / error code of any sort?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.