Hi All,

I have noticed that I have strange log messages in my system logs. I am under the immpression that it is Firestarter which is causing these messages ( recently installed it ) I do not really want to post the whole firewall script, as that would be visual assault. I am not really up on firewall scripts and my interpetation ( Firestarter ) may be miles out. Can anyone help !!!

Thanks in advance.


deft.


Jan 20 23:41:04 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:41:04 localhost kernel: ll header: 45:00:00:28
Jan 20 23:42:41 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:42:41 localhost kernel: ll header: 45:00:00:28
Jan 20 23:42:58 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:42:58 localhost kernel: ll header: 45:00:00:28
Jan 20 23:43:14 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:43:14 localhost kernel: ll header: 45:00:00:28
Jan 20 23:43:48 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:43:48 localhost kernel: ll header: 45:00:00:28
Jan 20 23:45:17 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:45:17 localhost kernel: ll header: 45:00:00:28
Jan 20 23:45:25 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:45:25 localhost kernel: ll header: 45:00:00:28
Jan 20 23:45:33 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:45:33 localhost kernel: ll header: 45:00:00:28

Under the directory

This is a setting in iptables that can be disabled. It basically makes a log entry everytime it recieves a malformed or broken packet.

To disable logging of martian sources change the 1 to a 0 at the top of the following file.

/proc/sys/net/ipv4/log_martians

I tried what you said and found that this file, /log_martians does not exist ?? I did a ls of the /proc/sys/net/ipv4 directory and here's the result:

conf ip_autoconfig route tcp_max_orphans tcp_stdurg
icmp_echo_ignore_all ip_conntrack_max tcp_abort_on_overflow tcp_max_syn_backlog tcp_synack_retries
icmp_echo_ignore_broadcasts ip_default_ttl tcp_adv_win_scale tcp_max_tw_buckets tcp_syncookies
icmp_ignore_bogus_error_responses ip_dynaddr tcp_app_win tcp_mem tcp_syn_retries
icmp_ratelimit ip_forward tcp_dsack tcp_orphan_retries tcp_timestamps
icmp_ratemask ipfrag_high_thresh tcp_ecn tcp_reordering tcp_tw_recycle
igmp_max_memberships ipfrag_low_thresh tcp_fack tcp_retrans_collapse tcp_tw_reuse
inet_peer_gc_maxtime ipfrag_time tcp_fin_timeout tcp_retries1 tcp_window_scaling
inet_peer_gc_mintime ip_local_port_range tcp_frto tcp_retries2 tcp_wmem
inet_peer_maxttl ip_nonlocal_bind tcp_keepalive_intvl tcp_rfc1337
inet_peer_minttl ip_no_pmtu_disc tcp_keepalive_probes tcp_rmem
inet_peer_threshold neigh tcp_keepalive_time tcp_sack

I will check my server when I get home from class tonight. I may have misquoted the path. If there are any other iptables pros out there who want to beat me to the punch please feel free, otherwise I will get back to you in a couple hours..

Looking for the path to the log_martians setting used by iptables.

On RH9:

/proc/sys/net/ipv4/conf/ppp0/log_martians
/proc/sys/net/ipv4/conf/all/log_martians

Thanks capt, I think thats solved it.

Cheers


deft

Sure. Pcghost did most of the work though.

Btw, it might be worthwhile to look into why your getting packets from 127.0.0.1 (non-routable IP) on your ppp0 interface (spoofed packets?). Given the temporal sequence of them, it doesn't look like an automated scan either.

I have been seeing alot of these for awhile on my linux game server.
What are the possible DoS attacks that someone could
be trying to do to my server? Break in using spoofed packets?

log example below:

Jan 28 20:02:30 server47 kernel: martian source 207.*.*.* from 127.0.0.1, on dev eth0
Jan 28 20:02:30 server47 kernel: ll header: 00:04:23:2c:46:c0:00:e0:52:0a:fd:41:08:00
Jan 28 20:03:29 server47 sshd(pam_unix)[9482]: check pass; user unknown
Jan 28 20:03:29 server47 sshd(pam_unix)[9482]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=24.*.*.*
Jan 28 20:03:31 server47 sshd(pam_unix)[9482]: check pass; user unknown
Jan 28 20:03:44 server47 last message repeated 5 times
Jan 28 20:03:46 server47 sshd(pam_unix)[9482]: 6 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=24.*.*.*
Jan 28 20:03:46 server47 sshd(pam_unix)[9482]: service(sshd) ignoring max retries; 7 > 3
Jan 28 20:06:07 server47 sendmail: sendmail shutdown succeeded
Jan 28 20:06:10 server47 sendmail: sendmail startup succeeded
Jan 28 20:09:00 server47 sendmail: sendmail shutdown succeeded
Jan 28 20:09:01 server47 sendmail: sendmail startup succeeded

I don't believe that's a DoS attack. The first part looks like a spoofed packet (possibly part of a scan) followed by a series of failed login attempts. I would be concerned as to why sendmail turned off and on twice in close proximity to the initial probe attempts. Examine the output of last and lastb to see if there are any succesfull logins around that time. Also check your system and application logs for any application error messages,segfaults, panics around that time period as well as for any other suspicious messages. Given that those logs are over a month old, if someone has compromised your system, they've had plenty of time to manipulate the logs. Checkout /etc/passwd and see if you have any new users or users besides root with a uid or gid of 0. Probably would be prudent to download and compile chkrootkit on a separate system and run it on the probed system.

Gah, QUIT TELLING PEOPLE TO NOT LOG MARTIANS!!!

Martians exist because of one of two things:
a) Someone is trying to SPOOF an IP address and possibly attack your system
b) Someone (probably you) misconfigured a network device with a wrong IP address or subnet

YOU DO NOT WANT TO IGNORE EITHER OF THOSE CASES!!!

In this case, I found a lot of hits on google for: martian source 127.0.0.1

It looks like it's either a worm, or an automated cracker tool. DON'T IGNORE THAT!

You should make sure that you're dropping packets from any bogon network on your external interface (eth0, ppp0, whatever it happens to be) and also drop all packets that aren't going to your IP address. This prevents spoofing and makes it far less likely that someone will be able to sneak specially crafted packets through your firewall.

Now I know there is some iptables firewall script that is circulating widely (apparently from some HOW-TO, or possibly a book) that tells you to not log martians... DON'T KEEP PERPETUATING THAT FALLACY! Whomever wrote that clearly doesn't know much about security.

This is what I mean when I say the Linux community it like a giant game of "telephone". Someone reads some stuff on iptables and comes up with a script that works, they pass it to a friend, friend collects other stuff from other sources, puts it in the script, passes it on, etc... by the time it gets to the second or third person, no one really knows what they're doing, they just take stuff they read (but don't understand) and put it in the script. Sooner or later the script is on a site for download and people use it as a reference. No one ever checks the security credentials or experience of the people who wrote the script: Bad, BAD!.

There's nothing wrong with Linux users helping each other out, but people, please be a little more critical of the advice you receive! Just because someone tells you something and it doesn't seem to crash your system right away, that doesn't mean it's a good idea, and you certainly should not tell other people to do it unless you understand exactly what you're saying.

Chort, I'm not sure who that is directed at, but I'm clearly not advocating that. In fact quite the opposite, in most cases it should raise a big red flag that either something nefarious is going on or that some application is broken.

Sorry C_C, I was referring to this post (which by the way, is not factually correct--it has nothing to do with broken packets).

I'm getting really tired of security newbs telling each other to ignore martians when no one understands what they are or why they happen. Sorry, I'm just getting cranky in my old age

Edit: I edited the original post to include the quote that I was responding too. Sorry, that did look like it was directed at the wrong person.

PS C_C is obviously not a security newb. He knows what he's talking about

OK, and yes I am aware that ignoring bogons is steadily becoming the bane of your existance (for a good reason)

In response to your smiting, let me retort. I have been setting up iptables based firewalls for production machines for a couple of years now, without a single SUCCESSFUL intrusion, so let's keep the newbie cracks to yourself thank you.

The reason why I suggest disabling logging martians is simple. If your firewall is set up correctly, martians are harmless noise that will occur virtually everytime you have iptables set up and a live Internet connection. The reason they are filling your logs is because they are being dropped. If you are ultra paranoid (not always a bad thing) leave it enabled, and chase every worm across the Internet for the rest of your career. If the question is "how do I get rid of them" the answer is disable the logging or hunt down every author of worms that utilize packet spoofing. If anyone has a better answer than please speak up, but insults are rarely necessary to answer a simple question....

Erm, you're ignoring the fact that martians can come from INSIDE your network, not always outside. If you don't log martians, it will take you a lot longer to discover (if you ever do) that you have misconfigured devices internally. It's also a very good idea to log them if you have a wireless access point, so you get a heads up when people are trying to sneak on without permission.

That aside, what if your firewall is NOT setup correctly? I cannot count the number of totally flawed iptables scripts I've seen, because it seems like every newbie and his mouse are posting iptables scripts for people to download. If the first thing the script does is to turn off debugging information, you're going to have a false sense of security.

Last, I have a bogon filter on my firewall and anti-spoofing on every interface. The only time I get martians (well, not using Linux so they aren't called "martians", but you get the idea) is when I move a laptop between the LAN and the DMZ and forget to re-IP it, and all of once did my firewall log external martians (before this ISS PAM exploit worm, that is) but even this worm is barely causing a blip in my firewall log compared to the normal cruft I get (and that's even with all Microsoft service ports dropped w/o logging).

The problem is that Linux puts the firewall logs in the kernel log, which really clutters things up. On OpenBSD there's a completely separate log for such things. The only time I see things show up in my kernel log is if a physically connected device tries to tell me it's from an IP outside of my subnet (which happened when my ISP misconfigured their new router, imagine their reaction when I politely informed them that their router was not setup correctly... but hey, at least they fixed it . Other than a problem with your ISP, that would never happen.