Find the answer to your Linux question:
Results 1 to 6 of 6
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2003
    Location
    Glasgow. Scotland
    Posts
    9

    ??? Whats going down in /var/log/messages


    Hi,

    I have recently changed my connection to the net from cable to dial-up [Sigh!] i have also changed address and ISP, Since the move I have been seeing my logs filling up with a whole load messages, Example,:

    Oct 18 03:41:12 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xxx.33.111.35 DST=xx.xxx.14.29 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=6699
    DF PROTO=TCP SPT=59243 DPT=1080 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
    Oct 18 03:43:33 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xx.xxx.xx.xx9 DST=xx.xxx.xx.xx9 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=48132 DF PROTO=TCP SPT=2363 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
    Oct 18 03:43:34 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xx.xxx.xx.xx DST=xx.xxx.1xx,xx LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=48297 DF PROTO=TCP SPT=2363 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
    Oct 18 03:43:37 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xx.xx.xx0.xx9 DST=xx.xxx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=48498 DF PROTO=TCP SPT=2363 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0

    these messages are seriously filling my log files to the point of AAAAAAAaaaaaaaaaaaaaaaaahhhhh!!!!

    Can I block them ? ? ? ?

    I am being bombarded with DPT=135 hits to the point of a cat of this file takes around a minute to complete...

    Also [ less dubious ]
    Oct 18 02:31:39 localhost kernel: martian source xxx.xxx.xx.xx from 127.0.0.1, on dev ppp0
    Oct 18 02:31:39 localhost kernel: ll header: 45:08:00:28
    Oct 18 02:31:39 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0
    Oct 18 02:31:39 localhost kernel: ll header: 45:08:00:28
    Oct 18 02:31:55 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0
    Oct 18 02:31:55 localhost kernel: ll header: 45:08:00:28
    Oct 18 02:31:55 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0
    Oct 18 02:31:55 localhost kernel: ll header: 45:08:00:28
    Oct 18 02:32:12 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0

    the source ip address on these hits [localhost hits] are always my own ip ? ?

    Anything I can do ?


    All help is much appreciated.

  2. #2
    are you running some sort of iptables scripts that won't work due to dialup?

    Also, have you looked at the syslogd config file?

  3. #3
    Just Joined!
    Join Date
    Oct 2003
    Location
    Glasgow. Scotland
    Posts
    9
    Hi Kriss, I have recently changed from cable to dial-up, I replaced my script and was using firestarter. But I am no guru when it comes to iptables scripts. I will look over my FW script [gshield] and will check as this is the first feasible explanation I have had from any forum. Thanks. Also here is a copy of my syslog.conf, can I create a new directory/files and redirect some of the messages to ease /var/log/messages


    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.* /dev/console

    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages

    # The authpriv file has restricted access.
    authpriv.* /var/log/secure

    # Log all the mail messages in one place.
    mail.* /var/log/maillog


    # Log cron stuff
    cron.* /var/log/cron

    # Everybody gets emergency messages
    *.emerg *

    # Save news errors of level crit and higher in a special file.
    uucp,news.crit /var/log/spooler

    # Save boot messages also to boot.log
    local7.* /var/log/boot.log

    #
    # INN
    #
    news.=crit /var/log/news/news.crit
    news.=err /var/log/news/news.err
    news.notice /var/log/news/news.notice


    Thank you in advance.

  4. $spacer_open
    $spacer_close
  5. #4
    kern.* -/var/log/iptableslog

    try to put that in the file, restart syslogd and see if this happens.

    As previously said, I might be wrong so don't kill me if it don't work

  6. #5
    Just Joined!
    Join Date
    Oct 2003
    Location
    Glasgow. Scotland
    Posts
    9

    Tried what u said

    Hi, well I edited the syslog.conf file in the manner you said, and I now have the messages being written to /var/log/iptableslog as well as /var/log/messages ????.

    Also I installed gShield FW, and I now have the situation where if I flush my iptables rules I cannot access the internet [ even though OUTPUT is set to ACCEPT ? ] How can I remove this FW from my system and stop all this shenanigans ??

    Thank you in advance

  7. #6
    What gets written to iptableslog? Can you give me a small sample? Does the same stuff get written in messages as well?

    I don't know much about the FW stuff, so some other than me have to answer on that one.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •