Find the answer to your Linux question:
Results 1 to 6 of 6
Hi, I have recently changed my connection to the net from cable to dial-up [Sigh!] i have also changed address and ISP, Since the move I have been seeing my ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2003
    Location
    Glasgow. Scotland
    Posts
    9

    ??? Whats going down in /var/log/messages


    Hi,

    I have recently changed my connection to the net from cable to dial-up [Sigh!] i have also changed address and ISP, Since the move I have been seeing my logs filling up with a whole load messages, Example,:

    Oct 18 03:41:12 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xxx.33.111.35 DST=xx.xxx.14.29 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=6699
    DF PROTO=TCP SPT=59243 DPT=1080 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
    Oct 18 03:43:33 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xx.xxx.xx.xx9 DST=xx.xxx.xx.xx9 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=48132 DF PROTO=TCP SPT=2363 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
    Oct 18 03:43:34 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xx.xxx.xx.xx DST=xx.xxx.1xx,xx LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=48297 DF PROTO=TCP SPT=2363 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
    Oct 18 03:43:37 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xx.xx.xx0.xx9 DST=xx.xxx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=48498 DF PROTO=TCP SPT=2363 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0

    these messages are seriously filling my log files to the point of AAAAAAAaaaaaaaaaaaaaaaaahhhhh!!!!

    Can I block them ? ? ? ?

    I am being bombarded with DPT=135 hits to the point of a cat of this file takes around a minute to complete...

    Also [ less dubious ]
    Oct 18 02:31:39 localhost kernel: martian source xxx.xxx.xx.xx from 127.0.0.1, on dev ppp0
    Oct 18 02:31:39 localhost kernel: ll header: 45:08:00:28
    Oct 18 02:31:39 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0
    Oct 18 02:31:39 localhost kernel: ll header: 45:08:00:28
    Oct 18 02:31:55 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0
    Oct 18 02:31:55 localhost kernel: ll header: 45:08:00:28
    Oct 18 02:31:55 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0
    Oct 18 02:31:55 localhost kernel: ll header: 45:08:00:28
    Oct 18 02:32:12 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0

    the source ip address on these hits [localhost hits] are always my own ip ? ?

    Anything I can do ?


    All help is much appreciated.

  2. #2
    Linux Engineer kriss's Avatar
    Join Date
    Jun 2003
    Posts
    1,113
    are you running some sort of iptables scripts that won't work due to dialup?

    Also, have you looked at the syslogd config file?

  3. #3
    Just Joined!
    Join Date
    Oct 2003
    Location
    Glasgow. Scotland
    Posts
    9
    Hi Kriss, I have recently changed from cable to dial-up, I replaced my script and was using firestarter. But I am no guru when it comes to iptables scripts. I will look over my FW script [gshield] and will check as this is the first feasible explanation I have had from any forum. Thanks. Also here is a copy of my syslog.conf, can I create a new directory/files and redirect some of the messages to ease /var/log/messages


    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.* /dev/console

    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages

    # The authpriv file has restricted access.
    authpriv.* /var/log/secure

    # Log all the mail messages in one place.
    mail.* /var/log/maillog


    # Log cron stuff
    cron.* /var/log/cron

    # Everybody gets emergency messages
    *.emerg *

    # Save news errors of level crit and higher in a special file.
    uucp,news.crit /var/log/spooler

    # Save boot messages also to boot.log
    local7.* /var/log/boot.log

    #
    # INN
    #
    news.=crit /var/log/news/news.crit
    news.=err /var/log/news/news.err
    news.notice /var/log/news/news.notice


    Thank you in advance.

  4. #4
    Linux Engineer kriss's Avatar
    Join Date
    Jun 2003
    Posts
    1,113
    kern.* -/var/log/iptableslog

    try to put that in the file, restart syslogd and see if this happens.

    As previously said, I might be wrong so don't kill me if it don't work

  5. #5
    Just Joined!
    Join Date
    Oct 2003
    Location
    Glasgow. Scotland
    Posts
    9

    Tried what u said

    Hi, well I edited the syslog.conf file in the manner you said, and I now have the messages being written to /var/log/iptableslog as well as /var/log/messages ????.

    Also I installed gShield FW, and I now have the situation where if I flush my iptables rules I cannot access the internet [ even though OUTPUT is set to ACCEPT ? ] How can I remove this FW from my system and stop all this shenanigans ??

    Thank you in advance

  6. #6
    Linux Engineer kriss's Avatar
    Join Date
    Jun 2003
    Posts
    1,113
    What gets written to iptableslog? Can you give me a small sample? Does the same stuff get written in messages as well?

    I don't know much about the FW stuff, so some other than me have to answer on that one.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •