LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Weird MAC address in logs
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-28-2005, 11:04 PM   #1
tangle
Senior Member
Contributing Member
 
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761

Rep: Reputation: 78
Weird MAC address in logs

I get alot of these messages in my log files.
Jun 28 22:08:19 websrv2 kernel: fp=INPUT:99 a=DROP IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0f:66:5a:ea:7b:08:00 SRC=192.168.0.254 DST=192.168.0.255
LEN=173 TOS=0x00 PREC=0x00 TTL=150 ID=7609 PROTO=UDP SPT=7948 DPT=162 LEN=153

The port changes, but everything else is the same. I have a Linksys router attached to a DSL modem. Is there a way to block this or have it not log with my iptables script? Thanks
 
Old 06-28-2005, 11:36 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
It's a UDP broadcast packet. The dst MAC (ff:ff:ff:ff:ff:ff) just signifies it's broadcast, but does the other MAC look familiar: 00:0f:66:5a:ea:7b? Looks like it belongs to a linksys NIC and it also has the weird Linksys TTL (150), so it's likely your router. You can block those messages by dropping broadcasts from the router which may interfere with dhcp/bootp, so fixing your logging rule is probably a better idea. Might help if you posted your firewall script or at least the LOG rules from it.
 
Old 06-29-2005, 07:35 AM   #3
tangle
Senior Member
Contributing Member
 
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761

Original Poster
Rep: Reputation: 78
I thought it was the router. I'll post my firewall script and such tonight after work.
 
Old 06-29-2005, 06:14 PM   #4
tangle
Senior Member
Contributing Member
 
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761

Original Poster
Rep: Reputation: 78
Here is my firewall script. I removed all the comments.

Code:
SYSCTL="/sbin/sysctl -w" 

IPT="/usr/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"

INET_IFACE="eth0"
INET_ADDRESS="192.168.0.5"

LO_IFACE="lo"
LO_IP="127.0.0.1"

if [ "$1" = "save" ]
then
	echo -n "Saving firewall to /etc/sysconfig/iptables ... "
	$IPTS > /etc/sysconfig/iptables
	echo "done"
	exit 0
elif [ "$1" = "restore" ]
then
	echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
	$IPTR < /etc/sysconfig/iptables
	echo "done"
	exit 0
fi

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
fi

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ "$1" = "stop" ]
then
	echo "Firewall completely flushed!  Now running with no firewall."
	exit 0
fi

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound

$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
    --log-prefix "fp=bad_packets:1 a=DROP "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

$IPT -A bad_packets -p tcp -j bad_tcp_packets

$IPT -A bad_packets -p ALL -j RETURN

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "fp=bad_tcp_packets:1 a=DROP "

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp -j RETURN

$IPT -A icmp_packets --fragment -p ICMP -j LOG \
    --log-prefix "fp=icmp_packets:1 a=DROP "

$IPT -A icmp_packets --fragment -p ICMP -j DROP

$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

$IPT -A icmp_packets -p ICMP -j RETURN

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT

$IPT -A udp_inbound -p UDP -j RETURN

$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

$IPT -A tcp_inbound -p TCP -j RETURN

$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

$IPT -A INPUT -p ALL -j bad_packets

$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
     -j ACCEPT

$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound

$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound

$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP

$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "

$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
Here is my syslog.conf file. Again I removed the comments.

Code:
*.info;*.!warn;\
	authpriv.none;cron.none;mail.none;news.none	-/var/log/messages

*.warn;\
	authpriv.none;cron.none;mail.none;news.none	-/var/log/syslog

*.=debug						-/var/log/debug

authpriv.*						-/var/log/secure

cron.*							-/var/log/cron

mail.*							-/var/log/maillog

*.emerg							*

uucp,news.crit						-/var/log/spooler
 
Old 06-29-2005, 11:59 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Just add a rule that accepts broadcast packets from your router sometime before this rule:
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "

something like this should work:
$IPT -A INPUT -s 192.168.0.254 -d 192.168.0.255 -j ACCEPT

You can probably use the REJECT target instead, since those packets are already getting dropped anyway. Just make sure to add that rule before the LOG rule.
 
Old 06-30-2005, 12:14 AM   #6
tangle
Senior Member
Contributing Member
 
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761

Original Poster
Rep: Reputation: 78
Thanks, I'll give it a go here in a second.
 
Old 06-30-2005, 05:54 PM   #7
tangle
Senior Member
Contributing Member
 
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761

Original Poster
Rep: Reputation: 78
That worked great, thanks for the info.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to find an IP address from the MAC address of a remote machine ? jitz Linux - General 3 01-03-2006 07:55 AM
How to find IP address of a machine if I know their MAC Address dysenteryduke Linux - Networking 13 09-12-2005 10:21 AM
how to get ip address, broadcast address, mac address of a machine sumeshstar Programming 2 03-12-2005 04:33 AM
MAC address logs reactnet Linux - Security 4 03-03-2005 09:44 AM
DHCP Server MAC Address found, IP address not assigned wmburke Linux - Wireless Networking 17 11-17-2004 10:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:48 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration