That was brought up to list by me, I finally followed Charly Brady and solved that. It comes only up if you have other users on your external interface with netbios-ns, netbios-dgm or route protocol messages. I attached my last response to Charly Brady who helped me to bring up some new "custom-templates" for denying of that protocol messages. Michael Jung > -----Original Message----- > From: PeeKay [mailto:[EMAIL PROTECTED]] > Sent: Saturday, January 20, 2001 12:55 AM > To: [EMAIL PROTECTED] > Subject: [e-smith-devinfo] beta3 log files > > > > I dont know if this has been brought up before but the log files > seem to be messed up. The information that it is spitting out is not > very usefull. I liked better when you could tell when someone was trying > to telnet, ftp, etc to your boxen. Here is a list of my log fles with > the type of logs its keeping: > > > [root@yojimbo log]# ls -al > total 16676 > drwxr-xr-x 7 root root 4096 Jan 17 15:19 . > drwxr-xr-x 18 root root 4096 Jan 16 14:10 .. > -rw------- 1 root root 10177 Jan 17 15:16 boot.log > -rw------- 1 root root 36495 Jan 19 14:30 cron > -rw-r--r-- 1 root root 2671 Jan 16 14:25 dmesg > drwxr-sr-x 2 root root 4096 Jan 12 22:35 flexbackup > drwxr-xr-x 2 root root 4096 Jan 16 12:48 httpd > -rw-r--r-- 1 root root 1460584 Jan 19 14:34 lastlog > -rw------- 1 root root 27483 Jan 19 00:31 maillog > -rw------- 1 root root 16700870 Jan 19 14:35 messages > -rw-rw-rw- 1 mysql mysql 161755 Jan 19 00:31 mysqld.log > drwx--S--- 2 qmaill nofiles 4096 Jan 16 14:31 qmail > drwx------ 2 root root 4096 Jan 16 14:31 samba > -rw------- 1 root root 28641 Jan 19 00:31 secure > -rw------- 1 root root 0 Jan 16 14:06 spooler > drwxr-x--- 2 squid squid 4096 Jan 16 14:31 squid > -rw-rw-r-- 1 root utmp 9984 Jan 19 14:34 wtmp > > If I am reading that right does that not say that the messages are 16 > megs already ? This is only after its been up for 3 days. > > [root@yojimbo log]# tail messages > Jan 19 16:40:50 yojimbo kernel: Packet log: denylog DENY eth1 PROTO=1 > 10.10.1.11:10 255.255.255.255:0 L=28 S=0x00 I=33600 F=0x0000 T=64 (#1) > Jan 19 16:40:51 yojimbo kernel: Packet log: denylog DENY eth1 PROTO=17 > 24.1.214.194:631 24.1.215.255:631 L=142 S=0x00 I=0 F=0x4000 T=64 (#1) > Jan 19 16:40:55 yojimbo kernel: Packet log: denylog DENY eth1 PROTO=1 > 24.1.212.200:10 224.0.0.2:0 L=28 S=0x00 I=4 F=0x0000 T=128 (#1) > Jan 19 16:40:57 yojimbo kernel: Packet log: denylog DENY eth1 PROTO=1 > 24.1.212.200:10 224.0.0.2:0 L=28 S=0x00 I=13 F=0x0000 T=128 (#1) > Jan 19 16:41:00 yojimbo kernel: Packet log: denylog DENY eth1 PROTO=1 > 24.1.212.200:10 224.0.0.2:0 L=28 S=0x00 I=17 F=0x0000 T=128 (#1) > Jan 19 16:41:07 yojimbo kernel: Packet log: denylog DENY eth1 PROTO=17 > 24.15.53.199:513 24.15.53.255:513 L=88 S=0x00 I=19435 F=0x0000 T=64 (#1) > Jan 19 16:41:22 yojimbo kernel: Packet log: denylog DENY eth1 PROTO=17 > 24.1.214.194:631 24.1.215.255:631 L=142 S=0x00 I=0 F=0x4000 T=64 (#1) > Jan 19 16:41:33 yojimbo kernel: Packet log: denylog DENY eth1 PROTO=17 > 24.1.208.33:67 24.1.215.255:68 L=328 S=0x00 I=15374 F=0x0000 T=60 (#1) > Jan 19 16:41:33 yojimbo kernel: Packet log: denylog DENY eth1 PROTO=17 > 24.1.208.34:67 24.1.215.255:68 L=328 S=0x00 I=34527 F=0x0000 T=60 (#1) > Jan 19 16:41:40 yojimbo kernel: Packet log: denylog DENY eth1 PROTO=17 > 24.1.213.106:513 24.1.255.255:513 L=88 S=0x00 I=39614 F=0x0000 > T=64 (#1) > > Its loggin these by the seconds. > > > [root@yojimbo log]# tail secure > Jan 19 02:21:29 yojimbo xinetd[4816]: USERID: imap OTHER :www > Jan 19 02:21:29 yojimbo xinetd[795]: EXIT: imap pid=4816 duration=0(sec) > Jan 19 02:26:30 yojimbo xinetd[795]: START: imap pid=4818 from=192.168.1.1 > Jan 19 02:26:30 yojimbo xinetd[795]: START: auth pid=4819 from=192.168.1.1 > Jan 19 02:26:30 yojimbo xinetd[4818]: USERID: imap OTHER :www > Jan 19 02:26:30 yojimbo xinetd[795]: EXIT: imap pid=4818 duration=0(sec) > Jan 19 02:31:31 yojimbo xinetd[795]: START: imap pid=4822 from=192.168.1.1 > Jan 19 02:31:31 yojimbo xinetd[795]: START: auth pid=4823 from=192.168.1.1 > Jan 19 02:31:31 yojimbo xinetd[4822]: USERID: imap OTHER :www > Jan 19 02:31:31 yojimbo xinetd[795]: EXIT: imap pid=4822 > duration=0(sec) > > Again I dont know what this log info is but it doesnt look to important. > > > > Also I was wondering what the file lastlog was for? > > > > Sorry if this has been covered already. I looked but didnt see it on the > beta3 update page. > > > Thank You > > P-K > > > -- > This list is archived > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] >
Charly thanks for your help, I implemented your mentioned solution and it works greatly. Little remarks for those who tried to do it: > Create yourself a custom template fragment to deny those packets silently. > > cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq > cat > 25IgnoreRIPBroadcast <<EOF > # deny without logging local RIP broadcasts > /sbin/ipchains --append input --protocol udp --source > 141.51.158.21 route \ > --destination 141.51.158.255 route --jump deny "--jump deny" must be written in capital letters --> "--jump DENY" > EOF > /sbin/e-smith/expand-template /etc/rc.d/init.d/masq Without the "/" in front of the path --> /sbin/e-smith/expand-template etc/rc.d/init.d/masq And had to delete "/etc/rc.d/init.d/masq" before because I got several "masq.xxxx" (xxxx=different numbers) after several expand tries after errors. Take care that no other files (e.g. 25IgnoreRIPBroadcast~ as a backup file) in the directory which will be expanded. > chmod +x /etc/rc.d/init.d/masq > /etc/rc.d/init.d/masq restart Added two more files for netbios-dgm and netbios-ns messages: 25IgnoreNETBIOS-dgmBroadcast: # deny without logging local Netbios-dgm broadcasts /sbin/ipchains --append input --protocol udp --source \ 141.51.158.0/255.255.255.0 netbios-dgm --destination 141.51.158.255 netbios-dgm --jump DENY 25IgnoreNETBIOS-nsBroadcast: # deny without logging local NETBIOS-ns broadcasts /sbin/ipchains --append input --protocol udp --source \ 141.51.158.0/255.255.255.0 netbios-dgm --destination 141.51.158.255 netbios-dgm --jump DENY /sbin/ipchains --append input --protocol tcp --source \ 141.51.158.0/255.255.255.0 netbios-dgm --destination 141.51.158.255 netbios-dgm --jump DENY 141.51.158.0 should be your external NIC Address. I guess the variable "ExternalIP" from /home/e-smith/configuration is also usable their but didn't try that. Michael Jung -- This list is archived To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
