Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Kirk Ferguson on October 04, 2003, 02:42:03 AM

Title: message log flooded with eth1 logging
Post by: Kirk Ferguson on October 04, 2003, 02:42:03 AM

Hello.  I'm having a rather strange problem with my 5.6 server.  The message log is filling up very rapidly with messages like these:

Oct  3 15:29:53 buffy kernel: IN=eth1 OUT=eth1 SRC=209.94.88.197 DST=209.94.64.1 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=18810 DF PROTO=UDP SPT=1672 DPT=53 LEN=52
Oct  3 15:29:53 buffy kernel: IN=eth1 OUT=eth1 SRC=209.94.88.197 DST=209.94.64.1 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=18833 DF PROTO=UDP SPT=9715 DPT=53 LEN=52
Oct  3 15:29:53 buffy kernel: IN=eth1 OUT=eth1 SRC=209.94.88.197 DST=209.94.64.1 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=18833 DF PROTO=UDP SPT=26945 DPT=53 LEN=52
Oct  3 15:29:55 buffy kernel: IN=eth1 OUT=eth1 SRC=209.94.88.197 DST=209.94.64.1 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=19039 DF PROTO=UDP SPT=55366 DPT=53 LEN=52

At 3 - 4 entries per second, ~600k per hour, this is a significant problem.  The SRC and DST addresses are other machines on my ISP's segment (not mine).  Can any one suggest why I am logging what appear to be DNS exchanges between two remote devices?

Thanks,

Kirk

Title: Re: message log flooded with eth1 logging
Post by: Greg Zartman on October 04, 2003, 03:12:17 AM

Yes, I'm getting the same messages as well.  They are the result a virus attempting unsuccessfully  to connect to machines on your LAN.  


Regards,
 
Greg Zartman

Title: Re: message log flooded with eth1 logging
Post by: alejandro on October 04, 2003, 03:24:10 AM

try installing acid-snort-guardian
It will prevent  repeated attemps from same ip at least for 24 hours. by blocking packages from the source offensive ip. preventig band waste and giving you a full activities report, graphics charts etc.
there are many references to the rpm contrib and howtos in this forums
maybe a search of acid snort guardian will give a to many matches result. ;-)

Title: Re: message log flooded with eth1 logging
Post by: Kirk Ferguson on October 04, 2003, 03:28:26 AM

Do you have any suggestion how to stop logging all this?  I've tried using iptables to drop all traffic from the source address, but since the traffic is not actually addressed to my ip, that doesn't work.  

It seems as though my server is  listening in promiscuous mode to traffic on the whole segment.  Strange.

Thanks,

Kirk

Title: Re: message log flooded with eth1 logging
Post by: Kirk Ferguson on October 04, 2003, 03:35:00 AM

Hi Alejandro,

I had snort/acid/guardian installed previously, but removed it a few months ago after I started having the rules problems discussed in this thread:

http://forums.contribs.org/index.php?topic=7893.msg29228#msg29228

Kirk

Title: Re: message log flooded with eth1 logging
Post by: alejandro on October 04, 2003, 03:39:42 AM

Ok:
thanks for the info,
I'm using for about two months without any kind of troubles but maybe I'm a lucky newbie
;-)