Re: Newbie Admin: Query about xconsole output

To: "Heisler, Aaron" <aaronh@jetsuite.com>
Cc: debian-security@lists.debian.org
Subject: Re: Newbie Admin: Query about xconsole output
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Tue, 28 Mar 2000 02:30:46 -0400
Message-id: <[🔎] 20000328023046.C21398@llama.nslug.ns.ca>
In-reply-to: <[🔎] 4.3.2.20000327095432.00cd5c90@mail.jetsuite.com>; from aaronh@jetsuite.com on Mon, Mar 27, 2000 at 10:00:23AM -0800
References: <[🔎] 4.3.2.20000327095432.00cd5c90@mail.jetsuite.com>

On Mon, Mar 27, 2000 at 10:00:23AM -0800, Heisler, Aaron wrote:

> Good morning, all...  I expect that this is the correct forum for
> this question, but if not, please point me in the right direction?
>
> I am working my way through an implementation of David Ranch's
> TrinityOs installation, with my own modifications for Debian.
> After locking down inet.d, and implementing a strong rc.firewall
> (similar to the one used in the IPCHAINS Howto), I have been
> receiving the following xconsole output fairly regularly:
> 
> -------------------------------------------------------------
> 
> Mar 27 09:49:20 trinos in.qpopper[26080]: connect from bran
> Mar 27 09:49:20 trinos tcplogd: pop-3 connection attempt from unknown@bran 
> [192.168.101.209]
> Mar 27 09:50:20 trinos icmplogd: destination unreachable from trinos 
> [192.168.101.30]
> 
> -------------------------------------------------------------
> 
> My network infrastructure looks like this:
> 
> 	|- 192.168.101.0 (External LAN)
> 	|
> 	| |- 192.168.101.30 (External TrinOS Interface)-|
> 	| |						|
> 	|-|	{trinos}				|
> 	| |						|
> 	| |- 192.168.180.1 (Internal TrinOS Interface) -|
> 	|
> 	|- 192.168.180.0 (Internal LAN)
> 
> I have an external machine (bran, 192.168.101.209) checking POP e-mail
> every few minutes, but why does the above resemble an error message?  Do
> I have something incorrectly configured (within the rc.firewall?), or am
> I misreading this?

 You're not misreading it.  You are reading too much into it, though.
tcplogd simply logs all TCP connection attempts, succesful or not, by
sniffing incoming traffic for SYN packets. (I think that's how it does it :)
It doesn't know what the listening process does with the connection.  In
fact, it doesn't even know there whether there is a listening process on
that port, so I think it even prints connection attempt messages for incoming
packets to closed ports.

 I think the ICMP host unreachable is being generated because your machine
(trinos) tries to connect to identd (the auth port) on bran.  Your tcplogd
printed "unknown@bran", indicating that it was the process trying to make an
ident request.  (you can turn off this behaviour).  I didn't think 
closed ports normally generated ICMP traffic, but I don't know.  Go look it
up in an RFC if it bugs you.

-- 
#define X(x,y) x##y
DUPS Secretary ; http://is2.dal.ca/~dups/
Peter Cordes ;  e-mail: X(peter@cordes.phys. , dal.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to:

References:
- Newbie Admin: Query about xconsole output
  - From: aaronh@jetsuite.com (Heisler, Aaron)

Prev by Date: Re: One Time Password support in debian
Previous by thread: Newbie Admin: Query about xconsole output
Index(es):
- Date
- Thread