Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Contribs.org Forums
  3. General Discussion
  4. Topic: Interpreting Denylog message.
« previous next »
Pages: [1]   Go Down

Interpreting Denylog message.

  • 5 Replies
  • 2630 Views

Offline pssl

  • *
  • 76
  • +0/-0
Interpreting Denylog message.
« on: May 03, 2010, 12:29:59 AM »
Hi,

SME version: 6.5 (I know, I should upgrade...but that would require a hardware upgrade, which I can't get to right now).

I just changed ISPs and am now getting the following denylog messages in the Message log every second or two.  I noticed that the SRC address and the DPT ports are continually changing.  I looked up some of the addresses and most of them belong to the ISP (Bell Canada).  I was hoping some one could help educate me as to the interpretation of the messages before I get on the horn to Bell to find out what is going on.  It appears my server is continually being pinged, which I don't understand since it is configured as a private server/gateway.  I didn't think anyone could see it on the net.  I used to see the occasional denylog message, but since being activated this afternoon, there are hundreds if not thousands of message in the log.

Is my interpretaion correct?

The old ISP was a small outfit, so maybe this is the effect of hooking up with a major ISP and I just have to live with more denylog messages.  If so, is there a way to turn them off?  My log is going to be stuffed before too long.

Peter.

---(partial) Message Log---
May  2 17:00:44 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:34:15:9e:17:3c:d0:08:00 SRC=70.24.130.136 DST=255.255.255.255 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=25608 PROTO=UDP SPT=58128 DPT=2223 LEN=80
May  2 17:00:45 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:13:8f:06:a9:d9:08:00 SRC=70.24.63.241 DST=255.255.255.255 LEN=103 TOS=0x00 PREC=0x00 TTL=128 ID=27425 PROTO=UDP SPT=1058 DPT=1211 LEN=83
May  2 17:00:46 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:09:6b:83:43:2d:08:00 SRC=76.67.42.85 DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=10141 PROTO=UDP SPT=1034 DPT=1947 LEN=48
May  2 17:00:47 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:19:b9:5a:64:41:08:00 SRC=74.15.249.167 DST=255.255.255.255 LEN=103 TOS=0x00 PREC=0x00 TTL=128 ID=46079 PROTO=UDP SPT=4482 DPT=1211 LEN=83
May  2 17:00:48 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:83:b6:c2:08:00 SRC=74.15.243.112 DST=255.255.255.255 LEN=67 TOS=0x00 PREC=0x00 TTL=128 ID=19082 PROTO=UDP SPT=1004 DPT=1004 LEN=47
May  2 17:00:51 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:22:15:3f:18:e0:08:00 SRC=76.67.46.185 DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=7901 PROTO=UDP SPT=55401 DPT=1947 LEN=48
May  2 17:00:51 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:f2:c2:b7:80:08:00 SRC=76.67.45.130 DST=255.255.255.255 LEN=180 TOS=0x00 PREC=0x00 TTL=64 ID=7435 PROTO=UDP SPT=49469 DPT=2222 LEN=160
May  2 17:00:52 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:11:eb:da:8a:08:00 SRC=76.70.99.36 DST=255.255.255.255 LEN=154 TOS=0x00 PREC=0x00 TTL=128 ID=15641 PROTO=UDP SPT=17500 DPT=17500 LEN=134
May  2 17:00:52 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:83:b6:c2:08:00 SRC=74.15.243.112 DST=255.255.255.255 LEN=69 TOS=0x00 PREC=0x00 TTL=128 ID=19188 PROTO=UDP SPT=1004 DPT=1004 LEN=49
May  2 17:00:53 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:83:b6:c2:08:00 SRC=74.15.243.112 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=19207 PROTO=UDP SPT=1004 DPT=1004 LEN=55
May  2 17:00:56 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:19:b9:5c:66:70:08:00 SRC=76.67.44.114 DST=255.255.255.255 LEN=138 TOS=0x00 PREC=0x00 TTL=128 ID=17056 PROTO=UDP SPT=17500 DPT=17500 LEN=118
May  2 17:00:56 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:19:b9:5c:66:70:08:00 SRC=76.67.44.114 DST=255.255.255.255 LEN=138 TOS=0x00 PREC=0x00 TTL=128 ID=17057 PROTO=UDP SPT=17500 DPT=17500 LEN=118
May  2 17:00:58 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:df:9c:8e:0a:08:00 SRC=70.24.60.138 DST=255.255.255.255 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=30197 PROTO=UDP SPT=49304 DPT=2223 LEN=80
May  2 17:00:58 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:83:b6:c2:08:00 SRC=74.15.243.112 DST=255.255.255.255 LEN=67 TOS=0x00 PREC=0x00 TTL=128 ID=19336 PROTO=UDP SPT=1004 DPT=1004 LEN=47
May  2 17:01:03 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:83:b6:c2:08:00 SRC=74.15.243.112 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=19443 PROTO=UDP SPT=1004 DPT=1004 LEN=55
May  2 17:01:04 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:83:b6:c2:08:00 SRC=74.15.243.112 DST=255.255.255.255 LEN=69 TOS=0x00 PREC=0x00 TTL=128 ID=19475 PROTO=UDP SPT=1004 DPT=1004 LEN=49
May  2 17:01:06 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:13:8f:06:a9:d9:08:00 SRC=70.24.63.241 DST=255.255.255.255 LEN=103 TOS=0x00 PREC=0x00 TTL=128 ID=27428 PROTO=UDP SPT=1058 DPT=1211 LEN=83
May  2 17:01:06 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:d1:48:97:7a:08:00 SRC=76.70.122.135 DST=255.255.255.255 LEN=152 TOS=0x00 PREC=0x00 TTL=128 ID=60827 PROTO=UDP SPT=17500 DPT=17500 LEN=132
May  2 17:01:06 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:d1:48:97:7a:08:00 SRC=76.70.122.135 DST=255.255.255.255 LEN=152 TOS=0x00 PREC=0x00 TTL=128 ID=60828 PROTO=UDP SPT=17500 DPT=17500 LEN=132
May  2 17:01:07 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:19:b9:5a:64:41:08:00 SRC=74.15.249.167 DST=255.255.255.255 LEN=103 TOS=0x00 PREC=0x00 TTL=128 ID=46082 PROTO=UDP SPT=4482 DPT=1211 LEN=83
May  2 17:01:08 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:83:b6:c2:08:00 SRC=74.15.243.112 DST=255.255.255.255 LEN=67 TOS=0x00 PREC=0x00 TTL=128 ID=19598 PROTO=UDP SPT=1004 DPT=1004 LEN=47
May  2 17:01:09 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:32:93:ae:85:08:00 SRC=70.24.129.153 DST=255.255.255.255 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=21795 PROTO=UDP SPT=55940 DPT=2223 LEN=80
May  2 17:01:10 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:cb:97:af:d6:08:00 SRC=74.15.249.220 DST=255.255.255.255 LEN=180 TOS=0x00 PREC=0x00 TTL=64 ID=5888 PROTO=UDP SPT=54331 DPT=2222 LEN=160
May  2 17:01:10 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:63:93:e2:c5:08:00 SRC=76.70.99.226 DST=255.255.255.255 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=48796 PROTO=UDP SPT=62492 DPT=2223 LEN=80
May  2 17:01:14 cherubim kernel: denylog:IN=eth1 OUT= MAC=00:0e:2e:6e:68:0c:00:90:1a:41:fa:56:08:00 SRC=187.117.124.161 DST=74.14.1.252 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=22412 DF PROTO=TCP SPT=54795 DPT=63061 WINDOW=65535 RES=0x00 SYN URGP=0
May  2 17:01:14 cherubim kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:70:83:b6:c2:08:00 SRC=74.15.243.112 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=19735 PROTO=UDP SPT=1004 DPT=1004 LEN=55

Logged

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Interpreting Denylog message.
« Reply #1 on: May 03, 2010, 05:05:34 AM »
Quote from: pssl on May 03, 2010, 12:29:59 AM
I didn't think anyone could see it on the net.

If it's connected to the Internet, anyone can send it packets. The denylog messages just indicate that your system received the packets and ignored them. IMO it's not worth your time trying to understand those packets. They are doing your system no harm.

If you see the DST address, most of those packets are broadcast packets - they weren't even sent specifically to your system.
Logged

Offline pssl

  • *
  • 76
  • +0/-0
Re: Interpreting Denylog message.
« Reply #2 on: May 03, 2010, 05:14:41 AM »
Thanks for the reply.  Any idea why I didn't see all these message with my previous ISP?
Logged

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Interpreting Denylog message.
« Reply #3 on: May 03, 2010, 12:36:19 PM »
pssl

Quote
SME version: 6.5 (I know, I should upgrade...but that would require a hardware upgrade, which I can't get to right now).

You are worried about a few denylog messages and broadcast packets, but are not worried about the security weaknesses in sme6.5, seems puzzling to me.
sme7.4 will still run on the same hardware your sme6.5 server is running on. I have one light duty server on a Celeron 500 with 512Mb RAM, running just nicely.
Using server manager may be a little slower, and system reconfiguration takes a little longer, but speed of operation will be pretty much the same.

You can easily adjust throughput settings of mail and antivirus if necessary to keep within your current servers memory & processor limits etc.
I would upgrade, there are many improvements in sme 7.x.
Put the CD in and follow the warnings on the wiki about upgrading.
Logged
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline pssl

  • *
  • 76
  • +0/-0
Re: Interpreting Denylog message.
« Reply #4 on: May 03, 2010, 01:20:55 PM »
mary,

Thanks for your reply.

I am in deed concerned about 6.5 and the last time I tried to upgrade on my current hardware it won't load, but that was a while ago so maybe 7 would go. 

I hate dicking with it because I'm not so techno that things mess up I can easily fix it.  Both my wife and I need the server up and running because we work from home.  So if I break it and it takes me days to fix it, then we are SOL.  So, I've more or less taken a if-it-ain't-broke-don't-fix-it approach to the server.  I know I have to do it eventually but I'm loath to do so.  The other reason for upgrading the hardware is that I can work on the new machine until I get it working then just swap it in.

If the denylog messages are normal then no problem.  I understand they are just broadcast messages.  I still don't understand why I'm getting so many more with the new ISP.  Any, I was concerned more with putting 86400 messages a day into the logs.

When you "easily adjust throughput settings of mail" is that in the manual.  I don't recall seeing it.  How do I do it?
Logged

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Interpreting Denylog message.
« Reply #5 on: May 03, 2010, 04:45:05 PM »
pssl

If you have a spare disk and follow this method (which is created and recommended by developers)
http://wiki.contribs.org/UpgradeDisk
you can upgrade without affecting or changing the contents of you existing hard disk.
If all goes well, then good, you have upgraded succesfully.
If you have hard to resolve issues, then just plug the old drive back in and you are back to your original sme 6.5 setup.


Quote
When you "easily adjust throughput settings of mail" is that in the manual.  I don't recall seeing it.  How do I do it?

There are concurrency settings for qmail and qpsmtpd (in sme7.x). There were similar settings in 6.x IIRC.
Pretty sure they are now controlled by db settings.

At a quick glance they seem to be missing from here
http://wiki.contribs.org/DB_Variables_Configuration
Search on concurrencyremote and concurrencylocal & qpsmtpd
Search on qmail for the other commands
I don't have them accessible at the moment, but they are on the forums in older posts going back a year or two or three  etc.

You can also configure htbwondershaper to control mail bandwidth usage, see the Howtos and there is a contrib in the smecontribs repo.
Logged
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Contribs.org Forums
  3. General Discussion
  4. Topic: Interpreting Denylog message.