Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
10-12-2004, 08:43 AM
|
#1
|
|
Member
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459
Rep: 
|
Thousands of the same kernel errors
I have thousands of these... they are appearing every .02 seconds
/var/log/kernel/warnings
Oct 12 08:37:25 empiricus kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:22:5e:02:08:00 SRC=10.164.192.1 DST=255.255.255.255 LEN=340 TOS=0x00 PREC=0x00 TTL=64 ID=60196 PROTO=UDP SPT=67 DPT=68 LEN=320
Oct 12 08:37:27 empiricus kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:22:5e:02:08:00 SRC=10.164.192.1 DST=255.255.255.255 LEN=340 TOS=0x00 PREC=0x00 TTL=64 ID=60225 PROTO=UDP SPT=67 DPT=68 LEN=320
Oct 12 08:37:31 empiricus kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:22:5e:02:08:00 SRC=10.164.192.1 DST=255.255.255.255 LEN=341 TOS=0x00 PREC=0x00 TTL=64 ID=60289 PROTO=UDP SPT=67 DPT=68 LEN=321
Oct 12 08:37:31 empiricus kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:22:5e:02:08:00 SRC=10.164.192.1 DST=255.255.255.255 LEN=339 TOS=0x00 PREC=0x00 TTL=64 ID=60297 PROTO=UDP SPT=67 DPT=68 LEN=319
Oct 12 08:37:32 empiricus kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:22:5e:02:08:00 SRC=10.164.192.1 DST=255.255.255.255 LEN=342 TOS=0x00 PREC=0x00 TTL=64 ID=60303 PROTO=UDP SPT=67 DPT=68 LEN=322
Where and why is this happening?
The GNUbie
|
|
|
|
|
10-12-2004, 08:48 AM
|
#2
|
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
These look like IPTABLES logs for DHCP requests/replies. Do you have DHCP enabled? If not, its probably a good idea to shutdown the dhclient daemon (or whatever daemon you use for DHCP). You could also simply tell your firewall to drop these packets rather than logging them.
|
|
|
|
|
10-12-2004, 08:59 AM
|
#3
|
|
Member
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459
Original Poster
Rep:
|
I dont use DHCP and it doesnt appear its running.
Im still new, not to mention terrible at ipchains, could you point me in the right direction on how to drop these packets?
Also, in the log, " SRC=10.164.192.1 " WHat is that? Its not any of my IP addresses.....
Thanks for your help
TheGNUbie
|
|
|
|
|
10-12-2004, 09:27 AM
|
#4
|
|
Member
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459
Original Poster
Rep:
|
ipchains -A input -p udp -i <interface> -s 0.0.0.0/0 67:68 -j DENY
ipchains -A input -p tcp -i <interface> -s 0.0.0.0/0 67:68 -j DENY
Correct?
|
|
|
|
|
10-12-2004, 09:30 AM
|
#5
|
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
Quote:
Originally posted by ryedunn
I dont use DHCP and it doesnt appear its running.
Im still new, not to mention terrible at ipchains, could you point me in the right direction on how to drop these packets?
Also, in the log, " SRC=10.164.192.1 " WHat is that? Its not any of my IP addresses.....
Thanks for your help
TheGNUbie
|
Well the source is a private IP address, meaning it can't be routed from the internet. Are you on a large private network (e.g. an ISP)? Its probably a DHCP server from your ISP broadcasting its presence (this is indicated by the destination IP 255.255.255.255).
Easiest way to get ride of it would be to add an iptables rule along the lines of
Code:
iptables -a INPUT -p udp -d 255.255.255.255 --dport 68 -j DROP
This will drop only the DHCP broadcast messages from the network (meaning you could still obtain an IP via DHCP if you needed to). Probably a good idea to put this line in your firewall script. If you don't have one of these, check out http://www.linuxguruz.com/iptables/ |
|
|
|
|
10-12-2004, 09:46 AM
|
#6
|
|
Member
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459
Original Poster
Rep:
|
thanks for the link, I will definately have to check that out..
After adding the line and restarting rc.firewall, it appears the messages are still being logged.
Would my other entries conflict with this?
Code:
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
$IPTABLES -a INPUT -p udp -d 255.255.255.255 --dport 68 -j DROP
|
|
|
|
|
10-12-2004, 10:17 AM
|
#7
|
|
Member
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459
Original Poster
Rep:
|
ok I switched the order, and it looks like its dropping the packets now.
Thank you.
|
|
|
|
|
10-12-2004, 03:52 PM
|
#8
|
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
Quote:
Originally posted by ryedunn
Code:
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
$IPTABLES -a INPUT -p udp -d 255.255.255.255 --dport 68 -j DROP
|
The first line of this code is what is causing the logs. What that line says is "If I get more than 3 packets in a second on an interface other than the loopback device, log it" Consider adding log prefixes to this line so at least you know what is causing it in the future:
Code:
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-prefix "LIMIT VIOLATION: "
Quote:
Originally posted by ryedunn
Code:
$IPTABLES -A INPUT -i ! lo -j DROP
|
Are you able to get to anything on the net from this box? This line is telling your system to drop anything coming in unless its from the loopback device. This would also include established/related packets (unless, of course, this isn't your entire script  )! |
|
|
|
|
10-12-2004, 04:44 PM
|
#9
|
|
Member
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459
Original Poster
Rep:
|
I will try your suggestion.. here is my full rc.firewall
any suggestions are greatly appreciated.
Code:
#!/bin/sh
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the
#firewall to come back (for all of ICMP/TCP/UDP). For example, if a ping
#request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p udp
#Accept everything from eth1
$IPTABLES -A INPUT -i eth1 -j ACCEPT
#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#Allow incoming HTTP requests (to Web server)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
#Allow port 25 for SMTP and 110 for POP3
#$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
#Allow port 10000 for Webmin
$IPTABLES -A INPUT -p tcp --dport 10000 -j ACCEPT
#Allow incoming VNC requests
$IPTABLES -A INPUT -p tcp --dport 5901 -j ACCEPT
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-prefix "LIMIT VIOLATION: "
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
|
|
|
|
|
10-12-2004, 09:08 PM
|
#10
|
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
Well, this leaves a lot of things completely wide open. What makes a firewall "good" is highly dependant on what you need it to do. As a rule of thumb, a packet drop be dropped unless explicitly allowed by the firewall. Reading through the firewalls in the link above will give you a better understanding of what you need in a firewall.
|
|
|
|
All times are GMT -5. The time now is 02:03 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
