[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RaQ2 ipfwadm question

At 12:24 PM 5/1/2003 -0700, you wrote:

On Thu, 1 May 2003, Glenn Parsons wrote:
>
> My logcheck reports are not reporting port violations from my ipfwadm
> configuration:
>
> Apr 30 22:46:40 ns kernel: IP fw-in deny eth0 TCP 207.178.136.130:0
> 208.21.174.3:0 L=0 S=0x00 I=0 F=0x0000 T=0
>
> See how the incoming and received port is not reported? Is this normal? Is
> this a misconfiguration on my part? Is it ipfwadm or is it logcheck?
>

Looks to me like the ports _are_ reported... you're just
receiving funky packets.  Think: malware.

Now, if _every_ entry looks that way, I'd agree that something
isn't working correctly.  Try connecting to a forbidden port from
your home connection, and see what gets logged.


Eddy


This is me from home on my DSL connection trying ftp (I'm not at home, but..):
May 1 12:42:19 ns kernel: IP fw-in deny eth0 TCP 65.40.65.94:0 208.21.174.3:0 L=0 S=0x00 I=0 F=0x0000 T=0 


  Is logcheck configured to parse the kernel log, /var/log/kernel?

Gerald
No. It's the same standard /usr/local/etc/logcheck.sh that installs as default. Assuming that it sees this odd MIPSel Cobalt OS as RedHat: 

# Linux Red Hat Version 3.x, 4.x
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
I didn't modify anything in the script other than the email address. Notice that my other Intel-based(AMD) machines report exactly the same way except they give the port for the violation:
May 1 12:13:08 mockups kernel: Packet log: input DENY eth0 PROTO=6 217.83.0.66:3460 208.21.174.6:21 L=52 S=0x01 I=49613 F=0x4000 T=119 SYN (#41) 

And what is the deal with all the bogus European ftp hits since yesterday???

Thanks,
Glenn Parsons