Topic: Message logfile

[stlouis]

Server in question is:
SME Server 6.0.1-01
web & mail server (basic config)
Clam & Spamassassin contribs from dungog & jasper


Message log is continuously being bombarded with the following message (approximately every 4-9 seconds) ... eventually causing (?) server to "freeze" (after about 19 hours of running) ... reboot gets it up and running again, but message continues and server freezes just after 3AM each morning.

<message in logfile>

Apr 26 07:32:45 webserver kernel: denylog:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0e:7f:d6:9d:d8:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=46282 PROTO=UDP SPT=68 DPT=67 LEN=556

</message in logfile>

Does anyone have a clue as to what this means?  What is causing this?  And how to stop it?  Any HELP will be greatly appreciated.  Verbose instructions are a blessing as I know just enough to make it work ... and usually keep it working.  Thanks, in advance.

[cc_skavenger]

<message in logfile>
Apr 26 07:32:45 webserver kernel: denylog:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0e:7f:d6:9d:d8:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=46282 PROTO=UDP SPT=68 DPT=67 LEN=556
</message in logfile>

PROTO=protocol
SPT=source port
DPT=destination port

ports 67 & 68 refer to DHCP.  Is there something on your network that would be giving out dhcp?  Is eth0 your wan or lan connection?  Eth0 is the interface that is getting the connection attempts.

HTH

[jgr]

I have something similar going on:

Random and rarely to one MAC address, SPT & DPT ports both 137. Log entry every 6 seconds to another MAC address w/ the SPT port incrementing by 1 for each log entry, starting at 50003 every time the ActionTec is powered up, DPT port # stays on 61112. Phone line connection or not has no affect, nothing else connected to the ActionTec. Disconnect the ActionTec & the logging stops.

System:
ActionTec R-1520SU DSL box, EtherNet port
SME Server 6.0
Web, email, ftp & file server
ClamAV & SpamAssassin from Swerts-Knudsen
Snort from MasterSleepy (here)

Apr 28 08:54:52 www kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:0c:4e:08:00 SRC=192.168.1.254 DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=2609 PROTO=UDP SPT=50940 DPT=61112 LEN=100

The external interface is eth1 with IP Address 192.168.1.253, ActionTec MAC address is 00 20 E0 36 0C 51 and IP Address is 192.168.1.254, SME Server MAC addresses are not similar to the ActionTec.

I would really appreciate some help if anyone has any idea what's going on here.

Thanks,
jgr

[stlouis]

cc_skavenger,

Thanks for your help.

Eth0 is LAN.  There are 3 servers on this LAN: SME for website & e-mail (this is the one with the problem), SME for Internet access, Windows 2003 for Domain.  All have DHCP disabled (verified).

I do not get any of these denylog messages in the logfile of my second SME server.  The server in question though logs them back at least as far as March 15th (last log), but I didn't start having the lockups until about a week ago, so I may be dealing with more than one issue.

Do you know of anything else that uses those ports for anything other than DHCP (since there aren't any DHCP servers on my LAN)?

If it isn't the denylog entries locking the server up, do you know how to track down what it is?  The server screen is black and unresponsive when it freezes.  A reboot takes care of it, but then it freezes again the next night (last log entry listed in "messages" shows 3:05:48 and the last thing listed is the denylog entry as mentioned in original post).  Do you know if there is a log file, command, or utility that might give an indication of what the issue might be?

To further "cloud" the issue (at least for me) ...

Without filling the forum with the entire log (I can if needed add more), does the below excerpt indicate that the server was rebooted at 3:06 AM (following a denylog listing)?

Apr 24 03:05:19 webserver kernel: denylog:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0e:7f:d6:9d:d8:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=11816 PROTO=UDP SPT=68 DPT=67 LEN=556
Apr 24 03:06:27 webserver syslogd 1.4.1: restart.
Apr 24 03:06:27 webserver syslog: syslogd startup succeeded

... The log continues with a long listing of restarted services ... seemingly corresponding to a server reboot.

This corresponds with the time that the server seems to be freezing (as indicated by last listing in messages and antivir logs - as well as the antivirus scan report normally mailed to admin account is not received), but cron log lists other things occurring at incremental times after that.  Am I correct that the cron log lists what HAS ran, not what is SUPPOSED to have run?  I had thought I had traced it to a clam scan that runs at this time (and it has frozen on manual scans before), but with the seemingly conflicting logs, I’m no longer sure (as well, some nights it completes the scan and the server isn't frozen the next morning).

Thanks again.  Any further direction would be appreciated.

[cc_skavenger]

stlouis,

If I am correct, that is probably the time that the logs get rotated.  Are you in the EDT time zone?  Do a top and then press shift and M together.  This will list the processes that are using the most memory.  Also, look at idle numbers, they should not stay low.  It should move around, but is shouldn't stay at or about 0.
Also, what are the hardware specs.  SME is really bad about needing alot of memory especially if you are running spamassassin and clamav.

[cc_skavenger]

...
Random and rarely to one MAC address, SPT & DPT ports both 137. Log entry every 6 seconds to another MAC address w/ the SPT port incrementing by 1 for each log entry, starting at 50003 every time the ActionTec is powered up, DPT port # stays on 61112.
.
.
Apr 28 08:54:52 www kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:0c:4e:08:00 SRC=192.168.1.254 DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=2609 PROTO=UDP SPT=50940 DPT=61112 LEN=100

The external interface is eth1 with IP Address 192.168.1.253, ActionTec MAC address is 00 20 E0 36 0C 51 and IP Address is 192.168.1.254, SME Server MAC addresses are not similar to the ActionTec.

I would really appreciate some help if anyone has any idea what's going on here.

Thanks,
jgr

Quick google search turned up this:
http://www.actiontec.com/support/broadband/1524su-1_faqs.html
"Why does the Actiontec Wireless-Ready DSL Gateway continuously broadcast to port 61112?
This is a required broadcast that enables the Actiontec Installation Buddy software to run properly. Our firmware upgrades also need this broadcast to run properly."

Port 137 denies are from Win NT boxes (2K, XP, & 2K3) that are infected with viruses.  Also, the port scans that increase by one port are also scans from virus infected PCs.  If they are from PCs on your lan, then they have a virus!

HTH

[jgr]

Thanks for your quick reply, it didn't occur to me to look on the ActionTec site...

Thanks,
jgr

[stlouis]

cc_skavenger,

Log rotation seems to make sense by what I see in the logfile.  I'm in Central Daylight Timezone.  Top report shows that spamd is at the top of memory usage, with httpd and dansguardian taking the rest of the top list.  I'd forgotten that dansquardian was initially installed on this server.  It's not used, so I'll remove it.  Hopefully, if the issue has to do with running out of memory, this will help alleviate the issue.

This is a 1Ghz PC with 512MB RAM.  Top shows all but about 25MB of RAM used and CPU is basically idle.  Is this too little RAM?  I thought this was good for an SME server, but as you mentioned, spamassassin and clamav need more than the basic server uses to run.

Thanks for your help, cc_skavenger.

[cc_skavenger]

It is really up to you.  Ram beig so cheap, I would load up on it if you can.  I guess it depends how much mail your server processes.  My company's server handles anywhere in the 10's thousands of e-mails a day.  It is a 2Ghz box with 1GB of ram and dual 80GB hard drives.  It gets bogged down from time to time with spamassassin and clamav, but I haven't been able to convince the boss to allow me to upgrade it.  It is only used for e-mail and I have any process not needed turned off, but it still bogs down every now and then.