LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-20-2004, 06:21 PM   #1
deft
Member
 
Registered: Jan 2004
Location: Scotland
Distribution: Ubunto 7.10
Posts: 122

Rep: Reputation: 15
strange system log messages ?


Hi All,

I have noticed that I have strange log messages in my system logs. I am under the immpression that it is Firestarter which is causing these messages ( recently installed it ) I do not really want to post the whole firewall script, as that would be visual assault. I am not really up on firewall scripts and my interpetation ( Firestarter ) may be miles out. Can anyone help !!!

Thanks in advance.


deft.


Jan 20 23:41:04 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:41:04 localhost kernel: ll header: 45:00:00:28
Jan 20 23:42:41 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:42:41 localhost kernel: ll header: 45:00:00:28
Jan 20 23:42:58 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:42:58 localhost kernel: ll header: 45:00:00:28
Jan 20 23:43:14 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:43:14 localhost kernel: ll header: 45:00:00:28
Jan 20 23:43:48 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:43:48 localhost kernel: ll header: 45:00:00:28
Jan 20 23:45:17 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:45:17 localhost kernel: ll header: 45:00:00:28
Jan 20 23:45:25 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:45:25 localhost kernel: ll header: 45:00:00:28
Jan 20 23:45:33 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:45:33 localhost kernel: ll header: 45:00:00:28
 
Old 01-20-2004, 06:26 PM   #2
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
Under the directory

This is a setting in iptables that can be disabled. It basically makes a log entry everytime it recieves a malformed or broken packet.

To disable logging of martian sources change the 1 to a 0 at the top of the following file.

/proc/sys/net/ipv4/log_martians
 
Old 01-20-2004, 07:19 PM   #3
deft
Member
 
Registered: Jan 2004
Location: Scotland
Distribution: Ubunto 7.10
Posts: 122

Original Poster
Rep: Reputation: 15
I tried what you said and found that this file, /log_martians does not exist ?? I did a ls of the /proc/sys/net/ipv4 directory and here's the result:

conf ip_autoconfig route tcp_max_orphans tcp_stdurg
icmp_echo_ignore_all ip_conntrack_max tcp_abort_on_overflow tcp_max_syn_backlog tcp_synack_retries
icmp_echo_ignore_broadcasts ip_default_ttl tcp_adv_win_scale tcp_max_tw_buckets tcp_syncookies
icmp_ignore_bogus_error_responses ip_dynaddr tcp_app_win tcp_mem tcp_syn_retries
icmp_ratelimit ip_forward tcp_dsack tcp_orphan_retries tcp_timestamps
icmp_ratemask ipfrag_high_thresh tcp_ecn tcp_reordering tcp_tw_recycle
igmp_max_memberships ipfrag_low_thresh tcp_fack tcp_retrans_collapse tcp_tw_reuse
inet_peer_gc_maxtime ipfrag_time tcp_fin_timeout tcp_retries1 tcp_window_scaling
inet_peer_gc_mintime ip_local_port_range tcp_frto tcp_retries2 tcp_wmem
inet_peer_maxttl ip_nonlocal_bind tcp_keepalive_intvl tcp_rfc1337
inet_peer_minttl ip_no_pmtu_disc tcp_keepalive_probes tcp_rmem
inet_peer_threshold neigh tcp_keepalive_time tcp_sack
 
Old 01-20-2004, 07:51 PM   #4
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
I will check my server when I get home from class tonight. I may have misquoted the path. If there are any other iptables pros out there who want to beat me to the punch please feel free, otherwise I will get back to you in a couple hours..

Looking for the path to the log_martians setting used by iptables.
 
Old 01-21-2004, 01:19 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
On RH9:

/proc/sys/net/ipv4/conf/ppp0/log_martians
/proc/sys/net/ipv4/conf/all/log_martians

Last edited by Capt_Caveman; 01-21-2004 at 01:21 AM.
 
Old 01-21-2004, 09:15 AM   #6
deft
Member
 
Registered: Jan 2004
Location: Scotland
Distribution: Ubunto 7.10
Posts: 122

Original Poster
Rep: Reputation: 15
Thanks capt, I think thats solved it.

Cheers


deft
 
Old 01-21-2004, 02:20 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Sure. Pcghost did most of the work though.

Btw, it might be worthwhile to look into why your getting packets from 127.0.0.1 (non-routable IP) on your ppp0 interface (spoofed packets?). Given the temporal sequence of them, it doesn't look like an automated scan either.
 
Old 03-01-2004, 11:43 PM   #8
linuxgamer
Member
 
Registered: Sep 2003
Distribution: SuSE, Linspire, Fedora, RH Enterprise
Posts: 89

Rep: Reputation: 15
I have been seeing alot of these for awhile on my linux game server.
What are the possible DoS attacks that someone could
be trying to do to my server? Break in using spoofed packets?

log example below:

Jan 28 20:02:30 server47 kernel: martian source 207.*.*.* from 127.0.0.1, on dev eth0
Jan 28 20:02:30 server47 kernel: ll header: 00:04:23:2c:46:c0:00:e0:52:0a:fd:41:08:00
Jan 28 20:03:29 server47 sshd(pam_unix)[9482]: check pass; user unknown
Jan 28 20:03:29 server47 sshd(pam_unix)[9482]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=24.*.*.*
Jan 28 20:03:31 server47 sshd(pam_unix)[9482]: check pass; user unknown
Jan 28 20:03:44 server47 last message repeated 5 times
Jan 28 20:03:46 server47 sshd(pam_unix)[9482]: 6 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=24.*.*.*
Jan 28 20:03:46 server47 sshd(pam_unix)[9482]: service(sshd) ignoring max retries; 7 > 3
Jan 28 20:06:07 server47 sendmail: sendmail shutdown succeeded
Jan 28 20:06:10 server47 sendmail: sendmail startup succeeded
Jan 28 20:09:00 server47 sendmail: sendmail shutdown succeeded
Jan 28 20:09:01 server47 sendmail: sendmail startup succeeded
 
Old 03-02-2004, 07:55 AM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I don't believe that's a DoS attack. The first part looks like a spoofed packet (possibly part of a scan) followed by a series of failed login attempts. I would be concerned as to why sendmail turned off and on twice in close proximity to the initial probe attempts. Examine the output of last and lastb to see if there are any succesfull logins around that time. Also check your system and application logs for any application error messages,segfaults, panics around that time period as well as for any other suspicious messages. Given that those logs are over a month old, if someone has compromised your system, they've had plenty of time to manipulate the logs. Checkout /etc/passwd and see if you have any new users or users besides root with a uid or gid of 0. Probably would be prudent to download and compile chkrootkit on a separate system and run it on the probed system.
 
Old 03-02-2004, 12:19 PM   #10
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally posted by Pcghost
Under the directory

This is a setting in iptables that can be disabled. It basically makes a log entry everytime it recieves a malformed or broken packet.

To disable logging of martian sources change the 1 to a 0 at the top of the following file.

/proc/sys/net/ipv4/log_martians
Gah, QUIT TELLING PEOPLE TO NOT LOG MARTIANS!!!

Martians exist because of one of two things:
a) Someone is trying to SPOOF an IP address and possibly attack your system
b) Someone (probably you) misconfigured a network device with a wrong IP address or subnet

YOU DO NOT WANT TO IGNORE EITHER OF THOSE CASES!!!

In this case, I found a lot of hits on google for: martian source 127.0.0.1

It looks like it's either a worm, or an automated cracker tool. DON'T IGNORE THAT!

You should make sure that you're dropping packets from any bogon network on your external interface (eth0, ppp0, whatever it happens to be) and also drop all packets that aren't going to your IP address. This prevents spoofing and makes it far less likely that someone will be able to sneak specially crafted packets through your firewall.

Now I know there is some iptables firewall script that is circulating widely (apparently from some HOW-TO, or possibly a book) that tells you to not log martians... DON'T KEEP PERPETUATING THAT FALLACY! Whomever wrote that clearly doesn't know much about security.

This is what I mean when I say the Linux community it like a giant game of "telephone". Someone reads some stuff on iptables and comes up with a script that works, they pass it to a friend, friend collects other stuff from other sources, puts it in the script, passes it on, etc... by the time it gets to the second or third person, no one really knows what they're doing, they just take stuff they read (but don't understand) and put it in the script. Sooner or later the script is on a site for download and people use it as a reference. No one ever checks the security credentials or experience of the people who wrote the script: Bad, BAD!.

There's nothing wrong with Linux users helping each other out, but people, please be a little more critical of the advice you receive! Just because someone tells you something and it doesn't seem to crash your system right away, that doesn't mean it's a good idea, and you certainly should not tell other people to do it unless you understand exactly what you're saying.

Last edited by chort; 03-02-2004 at 02:02 PM.
 
Old 03-02-2004, 01:53 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Chort, I'm not sure who that is directed at, but I'm clearly not advocating that. In fact quite the opposite, in most cases it should raise a big red flag that either something nefarious is going on or that some application is broken.
 
Old 03-02-2004, 02:00 PM   #12
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally posted by Pcghost
Under the directory

This is a setting in iptables that can be disabled. It basically makes a log entry everytime it recieves a malformed or broken packet.

To disable logging of martian sources change the 1 to a 0 at the top of the following file.

/proc/sys/net/ipv4/log_martians
Sorry C_C, I was referring to this post (which by the way, is not factually correct--it has nothing to do with broken packets).

I'm getting really tired of security newbs telling each other to ignore martians when no one understands what they are or why they happen. Sorry, I'm just getting cranky in my old age

Edit: I edited the original post to include the quote that I was responding too. Sorry, that did look like it was directed at the wrong person.

PS C_C is obviously not a security newb. He knows what he's talking about

Last edited by chort; 03-02-2004 at 02:05 PM.
 
Old 03-02-2004, 08:20 PM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
OK, and yes I am aware that ignoring bogons is steadily becoming the bane of your existance (for a good reason)
 
Old 03-24-2004, 10:19 AM   #14
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
In response to your smiting, let me retort. I have been setting up iptables based firewalls for production machines for a couple of years now, without a single SUCCESSFUL intrusion, so let's keep the newbie cracks to yourself thank you.

The reason why I suggest disabling logging martians is simple. If your firewall is set up correctly, martians are harmless noise that will occur virtually everytime you have iptables set up and a live Internet connection. The reason they are filling your logs is because they are being dropped. If you are ultra paranoid (not always a bad thing) leave it enabled, and chase every worm across the Internet for the rest of your career. If the question is "how do I get rid of them" the answer is disable the logging or hunt down every author of worms that utilize packet spoofing. If anyone has a better answer than please speak up, but insults are rarely necessary to answer a simple question....
 
Old 03-24-2004, 01:03 PM   #15
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Erm, you're ignoring the fact that martians can come from INSIDE your network, not always outside. If you don't log martians, it will take you a lot longer to discover (if you ever do) that you have misconfigured devices internally. It's also a very good idea to log them if you have a wireless access point, so you get a heads up when people are trying to sneak on without permission.

That aside, what if your firewall is NOT setup correctly? I cannot count the number of totally flawed iptables scripts I've seen, because it seems like every newbie and his mouse are posting iptables scripts for people to download. If the first thing the script does is to turn off debugging information, you're going to have a false sense of security.

Last, I have a bogon filter on my firewall and anti-spoofing on every interface. The only time I get martians (well, not using Linux so they aren't called "martians", but you get the idea) is when I move a laptop between the LAN and the DMZ and forget to re-IP it, and all of once did my firewall log external martians (before this ISS PAM exploit worm, that is) but even this worm is barely causing a blip in my firewall log compared to the normal cruft I get (and that's even with all Microsoft service ports dropped w/o logging).

The problem is that Linux puts the firewall logs in the kernel log, which really clutters things up. On OpenBSD there's a completely separate log for such things. The only time I see things show up in my kernel log is if a physically connected device tries to tell me it's from an IP outside of my subnet (which happened when my ISP misconfigured their new router, imagine their reaction when I politely informed them that their router was not setup correctly... but hey, at least they fixed it . Other than a problem with your ISP, that would never happen.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
send log messages to another system anurag1510 Red Hat 7 10-11-2005 06:19 AM
wierd messages in system log ambelos SUSE / openSUSE 2 03-16-2005 12:55 PM
strange logs in /var/log/messages dominant Linux - Security 1 04-21-2004 12:12 PM
Messages log, strange Equis Linux - Security 1 03-28-2004 04:48 AM
Strange messages in system logs BajaNick Linux - Security 3 09-15-2003 10:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration