Re: [suse-security] Odd FW Log
On Wednesday 31 March 2004 08:12, Tom Knight wrote:
I'm seeing odd thiungs in my FW log.
No, my machine isn't called xxx. The same goes for the IP/MAC address.
Yea, I know, Your real MAC is 00:0f:1f:02:28:80:00:09:11:7a:20:00:08:00 =D
Any ideas?
Yes, have you done a ping on that IP to see if it's running or not? Done a whois on it to get the admin info so you can send him these logs? If you are really bothered by this, send the logs to the admin after doing a whois.
--------------- Tom Knight System Administration Officer Arts & Humanities Data Service Web: http://www.ahds.ac.uk Email: tom.knight@ahds.ac.uk Tel: (0)20 7928 7371
-- ____________________________________________ http://www.linux.org http://www.bsd.org http://www.suse.com http://www.slackware.org http://www.irssi.org http://www.antionline.com http://www.cannibalholocaust.net http://www.misfits.com http://www.onethirtyeight.net
Any ideas?
Yes, have you done a ping on that IP to see if it's running or not? Done a whois on it to get the admin info so you can send him these logs? If you are really bothered by this, send the logs to the admin after doing a whois.
Heh... I'm tired of telling (for example) some Chinese ISP to crack down on its users. I generally only complain to universities or (some) UK ISPs now, as I feel I'm can get somewhere with them. In all honesty I don't ofetn bother checking who's scanning me these days, unless they're being really blatant about it. I *don't* mind being scanned, it's "one of those thing". I *do* mind my firewall logs telling me it's letting packets through that it shouldn't - that was what my question was about, after all.... I can send my (comments removed) FW config if anyone want a look.... Ta, Tom.
I *don't* mind being scanned, it's "one of those thing". I *do* mind my firewall logs telling me it's letting packets through that it shouldn't - that was what my question was about, after all....
I can send my (comments removed) FW config if anyone want a look....
Maybe you want to tell (again?) which version of SuSEfirewall2 you are using. I think there has been a buglet somewhen with the log prefix saying "ACCEPT" where it should have said "LOG", but it did the right thing anyways. (I may remember wrong, of course) Lars Ellenberg
-----Original Message----- From: l.g.e@web.de [mailto:l.g.e@web.de] Sent: 02 April 2004 10:33 To: suse-security@suse.com Subject: Re: [suse-security] Odd FW Log
I *don't* mind being scanned, it's "one of those thing". I *do* mind my firewall logs telling me it's letting packets through that it shouldn't - that was what my question was about, after all....
I can send my (comments removed) FW config if anyone want a look....
Maybe you want to tell (again?) which version of SuSEfirewall2 you are using. I think there has been a buglet somewhen with the log prefix saying "ACCEPT" where it should have said "LOG", but it did the right thing anyways. (I may remember wrong, of course)
I didn't say (oops) that it's SuSEfirewall2 v3.1. Your logging bug suggestion ties in with Joe Morris' email. I'll assume it is a log problem, but have a service running on port 1433 and see if it does actually get any packets when the FW says "ACCEPT". Thanks, Tom. PS: * SuSE support say "go to YOU and ensure you have the latest", even though I told them I've done that. * The SuSE portal has no recored of any such FW bugs like this, as far a I can see.
I didn't say (oops) that it's SuSEfirewall2 v3.1.
# rpm -qa | grep "SuSEf*" SuSEfirewall2-3.1-26 Hmm... on another SLES8 server I get: SuSEfirewall2-3.1-90 But I installed them the same way, with the same patching method?! Okay, I now believe it is a bug, and I'll get that damned rpm onto the machine. Thanks for all your help guys! Tom.
/ 2004-04-02 15:21:51 +0100 \ Tom Knight:
I didn't say (oops) that it's SuSEfirewall2 v3.1.
# rpm -qa | grep "SuSEf*" SuSEfirewall2-3.1-26
Hmm... on another SLES8 server I get: SuSEfirewall2-3.1-90
On my SL 9.0 box, I get Name : SuSEfirewall2 Version : 3.1 Release : 206 Build Date : Mon Oct 27 09:54:20 2003 Signature : DSA/SHA1, Mon Nov 3 18:03:34 2003, Key ID a84edae89c800aca Since it is a bash script anyways, maybe you want to go with the most recent. Probably found in updates/9.0/noarch ... lge
-----Original Message----- From: l.g.e@web.de [mailto:l.g.e@web.de] Sent: 02 April 2004 16:24 To: suse-security@suse.com Subject: Re: [suse-security] Odd FW Log
/ 2004-04-02 15:21:51 +0100 \ Tom Knight:
I didn't say (oops) that it's SuSEfirewall2 v3.1.
# rpm -qa | grep "SuSEf*" SuSEfirewall2-3.1-26
Hmm... on another SLES8 server I get: SuSEfirewall2-3.1-90
On my SL 9.0 box, I get Name : SuSEfirewall2 Version : 3.1 Release : 206 Build Date : Mon Oct 27 09:54:20 2003 Signature : DSA/SHA1, Mon Nov 3 18:03:34 2003, Key ID a84edae89c800aca
Since it is a bash script anyways, maybe you want to go with the most recent. Probably found in updates/9.0/noarch ...
Well, I've been trying to keep my servers all YOU updated only, as they slowly increase in number... my seventh PE should be arriving next week, and I don't want to have to have too many things to do for each one. Having said that, I'll see what differences there are between 90 and 206, and if they're worthwhile I'll try it out. I suppose wht I _should_ do is mirror the SLES updates site and add any extra package updates I want, but as with all these things, if only there was time.... ;-) (and machinery, come to think of it!) Tom.
/ 2004-04-02 16:36:13 +0100 \ Tom Knight:
Well, I've been trying to keep my servers all YOU updated only, as they slowly increase in number... my seventh PE should be arriving next week, and I don't want to have to have too many things to do for each one.
Having said that, I'll see what differences there are between 90 and 206, and if they're worthwhile I'll try it out.
I suppose wht I _should_ do is mirror the SLES updates site and add any extra package updates I want, but as with all these things, if only there was time.... ;-) (and machinery, come to think of it!)
Um, you know about http://fou4s.gaugusch.at, don't you?
participants (3)
-
Allen/Gore/SlackWareWolf
-
Lars Ellenberg
-
Tom Knight