Suspicious messages from SuSE-Firewall2 to look out for?
From while ago, I have been getting the following console message (also in /var/log/messages) almost everyday. When it happens, it shows on console in bursts.
==============================================================
Jan 9 21:58:29 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36934 PROTO=UDP
SPT=68 DPT=67 LEN=556
Jan 9 21:58:37 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36935 PROTO=UDP
SPT=68 DPT=67 LEN=556
Jan 9 21:58:44 bellini kernel: SuSE-FW-ACCEPT IN=eth0 OUT=
MAC=00:10:4b:c6:f4:46:00:06:52:4e:b1:8a:08:00 SRC=217.9.113.69
DST=18.62.3.197 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=36051 DF PROTO=TCP
SPT=3179 DPT=25 WINDOW=32120 RES=0x00 SYN URGP=0 OPT
(020405B40402080A503A5E290000000001030300)
Jan 9 21:58:52 bellini kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:60:97:7f:8e:53:08:00 SRC=18.62.0.228
DST=18.62.0.0 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=8759 PROTO=UDP
SPT=1955 DPT=111 LEN=108
Jan 9 21:58:53 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36936 PROTO=UDP
SPT=68 DPT=67 LEN=556
====================================================================
What is going on? Is anybody from "SRC" site attacking my linux box
or what?
nslookup 18.62.0.228
shows a normally-looking output as follows:
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server: 18.70.0.160
Address: 18.70.0.160#53
228.0.62.18.in-addr.arpa name =
I am the original poster. One more thing to add: What is meant by SuSE-FW-DROP-ANTI-SPOOFING? Jan 9 22:06:55 bellini kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=18.62.3.197 DST=18.62.255.255 LEN=246 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=226 Jan 9 22:06:55 bellini kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=18.62.3.197 DST=18.62.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 Jan 9 22:06:56 bellini kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:60:97:7f:8e:53:08:00 SRC=18.62.0.228 DST=18.62.0.0 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=8845 PROTO=UDP SPT=1962 DPT=111 LEN=108 Thanks. 2003-01-09 목 22:10, ghugh Song이(가) 씀:
From while ago, I have been getting the following console message (also in /var/log/messages) almost everyday. When it happens, it shows on console in bursts.
==============================================================
Jan 9 21:58:29 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36934 PROTO=UDP SPT=68 DPT=67 LEN=556 Jan 9 21:58:37 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36935 PROTO=UDP SPT=68 DPT=67 LEN=556 Jan 9 21:58:44 bellini kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:10:4b:c6:f4:46:00:06:52:4e:b1:8a:08:00 SRC=217.9.113.69 DST=18.62.3.197 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=36051 DF PROTO=TCP SPT=3179 DPT=25 WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A503A5E290000000001030300) Jan 9 21:58:52 bellini kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:60:97:7f:8e:53:08:00 SRC=18.62.0.228 DST=18.62.0.0 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=8759 PROTO=UDP SPT=1955 DPT=111 LEN=108 Jan 9 21:58:53 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36936 PROTO=UDP SPT=68 DPT=67 LEN=556
====================================================================
What is going on? Is anybody from "SRC" site attacking my linux box or what?
nslookup 18.62.0.228
shows a normally-looking output as follows:
Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing. Server: 18.70.0.160 Address: 18.70.0.160#53
228.0.62.18.in-addr.arpa name =
.MIT.EDU. Thanks a lot.
G. H. S.
* ghugh Song;
I am the original poster. One more thing to add: What is meant by SuSE-FW-DROP-ANTI-SPOOFING?
Take a look at the SuSEFirewall2 documentation at http://sourceforge.net/projects/susefaq Chapter 7 deals with Logs -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
The 03.01.09 at 22:10, ghugh Song wrote:
From while ago, I have been getting the following console message (also in /var/log/messages) almost everyday. When it happens, it shows on console in bursts.
Jan 9 21:58:29 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36934 PROTO=UDP SPT=68 DPT=67 LEN=556
First note that it is coming from your ethernet (local?) network, and that is doesn't have an IP: it is a broadcast. Then, notice the ports used, and look them up on "/etc/services": bootps 67/udp # Bootstrap Protocol Server bootpc 68/udp # Bootstrap Protocol Client You have a machine in your LAN with the above MAC (Ethernet addr) which is broadcasting a request to any dhcp server to give him an IP. If your linux machine is the dhcpd server, allow it on the firewall. Or do you have a DSL router conected to your ethernet port?
Jan 9 21:58:37 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36935 PROTO=UDP SPT=68 DPT=67 LEN=556
Same thing, some seconds later.
Jan 9 21:58:44 bellini kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:10:4b:c6:f4:46:00:06:52:4e:b1:8a:08:00 SRC=217.9.113.69 DST=18.62.3.197 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=36051 DF PROTO=TCP SPT=3179 DPT=25 WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A503A5E290000000001030300)
This a mail transfer attempt (smtp).
Jan 9 21:58:52 bellini kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:60:97:7f:8e:53:08:00 SRC=18.62.0.228 DST=18.62.0.0 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=8759 PROTO=UDP SPT=1955 DPT=111 LEN=108
111: SUN Remote Procedure Call
Jan 9 21:58:53 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36936 PROTO=UDP SPT=68 DPT=67 LEN=556
dhcp or bootstrap. Which is your IP number? I see you get at least tow packets destined for different IP's, and I don't know which one, if any, is yours.
What is going on? Is anybody from "SRC" site attacking my linux box or what?
From the above, I can't say, but I don't think so, it seems like normal trafic on an ethernet to me.
-- Cheers, Carlos Robinson
participants (3)
-
Carlos E. R.
-
ghugh Song
-
Togan Muftuoglu