Bryan, Thanks for your quick reply:
On Thu, 2004-03-04 at 21:01, Bryan Phinney wrote: > On Thursday 04 March 2004 08:28 pm, Terence Golightly wrote: > > > I get the kernel martian messages but they seem to be eminating from my > > ISP or another source. I'll post the messages below: > > > > kernel martian source 151.201.29.xxx from 151.201.29.1 on dev eth0 > > The first IP is the supposed target of the packets, the second is the supposed > source. > > > kernel ll header:ff:ff:ff:ff:ff:ff:00:08:e3:b9:45:08:06 **Could this > > be my MAC address > > That is supposed to be the MAC address of the source. You might be able to > use this address to track down the origination of the martian packets. > How might I track this address? > > 10.0.0.10 is designated in my hosts file as my machine name. > > <snip> > Before you turn off logging of these kinds of messages, you need to be VERY > sure that you trust your firewall to be actively blocking and adequately > filtering packets. That is because these types of messages may indicate that > someone is spoofing packets while trying to break into your system. > I did notice 1 or 2 like this: Socks5[998] Auth Failed:(172.153.8.184:4146) The port 4146 is closed on my machine. > If you are pretty sure that the packets are being sourced from internal > machines and just showing up on the wrong interface, only then consider > turning off logging. It looks like for some reason my ISP is responsible. See below: > > Figure out what the 151.201.x.x IP is and if it is in your control before you > consider turning logging of martian packets off. Heres a couple of nmap scans I ran awhile ago: Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2004-03-04 20:28 EST All 1644 scanned ports on A1-0-0-711067.DSL-RTR1.PITT2.verizon-gni.net (151.201.29.1) are: closed Nmap run completed -- 1 IP address (1 host up) scanned in 13.910 seconds Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2004-03-04 20:29 EST All 1644 scanned ports on pool-151-201-29-195.pitt.east.verizon.net (151.201.29.195) are: filtered Nmap run completed -- 1 IP address (1 host up) scanned in 105.224 seconds Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2004-03-04 20:55 EST All 1644 scanned ports on AC9908B8.ipt.aol.com (172.153.8.184) are: filtered Nmap run completed -- 1 IP address (1 host up) scanned in 1335.952 seconds Thanks again, Terry -- I used to have a signature, but I lost it. My new one is: IIRC CRS
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
