Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have noticed that I have strange log messages in my system logs. I am under the immpression that it is Firestarter which is causing these messages ( recently installed it ) I do not really want to post the whole firewall script, as that would be visual assault. I am not really up on firewall scripts and my interpetation ( Firestarter ) may be miles out. Can anyone help !!!
Thanks in advance.
deft.
Jan 20 23:41:04 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:41:04 localhost kernel: ll header: 45:00:00:28
Jan 20 23:42:41 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:42:41 localhost kernel: ll header: 45:00:00:28
Jan 20 23:42:58 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:42:58 localhost kernel: ll header: 45:00:00:28
Jan 20 23:43:14 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:43:14 localhost kernel: ll header: 45:00:00:28
Jan 20 23:43:48 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:43:48 localhost kernel: ll header: 45:00:00:28
Jan 20 23:45:17 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:45:17 localhost kernel: ll header: 45:00:00:28
Jan 20 23:45:25 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:45:25 localhost kernel: ll header: 45:00:00:28
Jan 20 23:45:33 localhost kernel: martian source 81.135.30.166 from 127.0.0.1, on dev ppp0
Jan 20 23:45:33 localhost kernel: ll header: 45:00:00:28
Distribution: Fedora, Debian, OpenSuSE and Android
Posts: 1,820
Rep:
I will check my server when I get home from class tonight. I may have misquoted the path. If there are any other iptables pros out there who want to beat me to the punch please feel free, otherwise I will get back to you in a couple hours..
Looking for the path to the log_martians setting used by iptables.
Btw, it might be worthwhile to look into why your getting packets from 127.0.0.1 (non-routable IP) on your ppp0 interface (spoofed packets?). Given the temporal sequence of them, it doesn't look like an automated scan either.
I have been seeing alot of these for awhile on my linux game server.
What are the possible DoS attacks that someone could
be trying to do to my server? Break in using spoofed packets?
log example below:
Jan 28 20:02:30 server47 kernel: martian source 207.*.*.* from 127.0.0.1, on dev eth0
Jan 28 20:02:30 server47 kernel: ll header: 00:04:23:2c:46:c0:00:e0:52:0a:fd:41:08:00
Jan 28 20:03:29 server47 sshd(pam_unix)[9482]: check pass; user unknown
Jan 28 20:03:29 server47 sshd(pam_unix)[9482]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=24.*.*.*
Jan 28 20:03:31 server47 sshd(pam_unix)[9482]: check pass; user unknown
Jan 28 20:03:44 server47 last message repeated 5 times
Jan 28 20:03:46 server47 sshd(pam_unix)[9482]: 6 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=24.*.*.*
Jan 28 20:03:46 server47 sshd(pam_unix)[9482]: service(sshd) ignoring max retries; 7 > 3
Jan 28 20:06:07 server47 sendmail: sendmail shutdown succeeded
Jan 28 20:06:10 server47 sendmail: sendmail startup succeeded
Jan 28 20:09:00 server47 sendmail: sendmail shutdown succeeded
Jan 28 20:09:01 server47 sendmail: sendmail startup succeeded
I don't believe that's a DoS attack. The first part looks like a spoofed packet (possibly part of a scan) followed by a series of failed login attempts. I would be concerned as to why sendmail turned off and on twice in close proximity to the initial probe attempts. Examine the output of last and lastb to see if there are any succesfull logins around that time. Also check your system and application logs for any application error messages,segfaults, panics around that time period as well as for any other suspicious messages. Given that those logs are over a month old, if someone has compromised your system, they've had plenty of time to manipulate the logs. Checkout /etc/passwd and see if you have any new users or users besides root with a uid or gid of 0. Probably would be prudent to download and compile chkrootkit on a separate system and run it on the probed system.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally posted by Pcghost Under the directory
This is a setting in iptables that can be disabled. It basically makes a log entry everytime it recieves a malformed or broken packet.
To disable logging of martian sources change the 1 to a 0 at the top of the following file.
/proc/sys/net/ipv4/log_martians
Gah, QUIT TELLING PEOPLE TO NOT LOG MARTIANS!!!
Martians exist because of one of two things:
a) Someone is trying to SPOOF an IP address and possibly attack your system
b) Someone (probably you) misconfigured a network device with a wrong IP address or subnet
YOU DO NOT WANT TO IGNORE EITHER OF THOSE CASES!!!
In this case, I found a lot of hits on google for: martian source 127.0.0.1
It looks like it's either a worm, or an automated cracker tool. DON'T IGNORE THAT!
You should make sure that you're dropping packets from any bogon network on your external interface (eth0, ppp0, whatever it happens to be) and also drop all packets that aren't going to your IP address. This prevents spoofing and makes it far less likely that someone will be able to sneak specially crafted packets through your firewall.
Now I know there is some iptables firewall script that is circulating widely (apparently from some HOW-TO, or possibly a book) that tells you to not log martians... DON'T KEEP PERPETUATING THAT FALLACY! Whomever wrote that clearly doesn't know much about security.
This is what I mean when I say the Linux community it like a giant game of "telephone". Someone reads some stuff on iptables and comes up with a script that works, they pass it to a friend, friend collects other stuff from other sources, puts it in the script, passes it on, etc... by the time it gets to the second or third person, no one really knows what they're doing, they just take stuff they read (but don't understand) and put it in the script. Sooner or later the script is on a site for download and people use it as a reference. No one ever checks the security credentials or experience of the people who wrote the script: Bad, BAD!.
There's nothing wrong with Linux users helping each other out, but people, please be a little more critical of the advice you receive! Just because someone tells you something and it doesn't seem to crash your system right away, that doesn't mean it's a good idea, and you certainly should not tell other people to do it unless you understand exactly what you're saying.
Chort, I'm not sure who that is directed at, but I'm clearly not advocating that. In fact quite the opposite, in most cases it should raise a big red flag that either something nefarious is going on or that some application is broken.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally posted by Pcghost Under the directory
This is a setting in iptables that can be disabled. It basically makes a log entry everytime it recieves a malformed or broken packet.
To disable logging of martian sources change the 1 to a 0 at the top of the following file.
/proc/sys/net/ipv4/log_martians
Sorry C_C, I was referring to this post (which by the way, is not factually correct--it has nothing to do with broken packets).
I'm getting really tired of security newbs telling each other to ignore martians when no one understands what they are or why they happen. Sorry, I'm just getting cranky in my old age
Edit: I edited the original post to include the quote that I was responding too. Sorry, that did look like it was directed at the wrong person.
PS C_C is obviously not a security newb. He knows what he's talking about
Distribution: Fedora, Debian, OpenSuSE and Android
Posts: 1,820
Rep:
In response to your smiting, let me retort. I have been setting up iptables based firewalls for production machines for a couple of years now, without a single SUCCESSFUL intrusion, so let's keep the newbie cracks to yourself thank you.
The reason why I suggest disabling logging martians is simple. If your firewall is set up correctly, martians are harmless noise that will occur virtually everytime you have iptables set up and a live Internet connection. The reason they are filling your logs is because they are being dropped. If you are ultra paranoid (not always a bad thing) leave it enabled, and chase every worm across the Internet for the rest of your career. If the question is "how do I get rid of them" the answer is disable the logging or hunt down every author of worms that utilize packet spoofing. If anyone has a better answer than please speak up, but insults are rarely necessary to answer a simple question....
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Erm, you're ignoring the fact that martians can come from INSIDE your network, not always outside. If you don't log martians, it will take you a lot longer to discover (if you ever do) that you have misconfigured devices internally. It's also a very good idea to log them if you have a wireless access point, so you get a heads up when people are trying to sneak on without permission.
That aside, what if your firewall is NOT setup correctly? I cannot count the number of totally flawed iptables scripts I've seen, because it seems like every newbie and his mouse are posting iptables scripts for people to download. If the first thing the script does is to turn off debugging information, you're going to have a false sense of security.
Last, I have a bogon filter on my firewall and anti-spoofing on every interface. The only time I get martians (well, not using Linux so they aren't called "martians", but you get the idea) is when I move a laptop between the LAN and the DMZ and forget to re-IP it, and all of once did my firewall log external martians (before this ISS PAM exploit worm, that is) but even this worm is barely causing a blip in my firewall log compared to the normal cruft I get (and that's even with all Microsoft service ports dropped w/o logging).
The problem is that Linux puts the firewall logs in the kernel log, which really clutters things up. On OpenBSD there's a completely separate log for such things. The only time I see things show up in my kernel log is if a physically connected device tries to tell me it's from an IP outside of my subnet (which happened when my ISP misconfigured their new router, imagine their reaction when I politely informed them that their router was not setup correctly... but hey, at least they fixed it . Other than a problem with your ISP, that would never happen.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.