RE: [expert] ipchains logging

[Tony Smith]

Hi David,

> Resending without the stupid HTML attachments, shame on me!
> >> Out of curiosity, what command are you using to restart klogd?
>  I think >>I have the same problem with one of my boxes.
> >
> >/etc/rc.d/init.d/syslog restart
> >
> >kill -HUP does not do the trick.
>
> It has been my experience that 'kill -HUP syslogd' actually
> CAUSES klogd to stop working in both stock 7.0 and 7.1.
>
> By default klogd sends it's output to the syslog and it doen't
> seem to like syslogd being restarted, only stopping and starting
> klogd will get it going again (klogd halts on a SIGHUP).  Issuing
>  '/etc/rc.d/init.d/syslog restart' fixes the problem because it
> stops and starts syslogd and klogd in turn.
>
> So, it is a possibility that your problem arises from  'killall
> -HUP syslogd' getting called via cron scripts or elsewhere.  The
> syslog logrotate file is one culprit.  If you make no alteration
> to the default cron/logrotate scripts, then kernel logging will
> work ok from boot until the first weekend and then stop working
> until klogd is restarted.
>
> Getting klogd to log direct to a file might be worth trying too,
> (klogd -f file).
>

At last an explanation! Thanks for this, I'll adjust my cron jobs
accordingly.

Regards,

Tony

RE: [expert] ipchains logging

[David McCreary]

Resending without the stupid HTML attachments, shame on me!
>> Out of curiosity, what command are you using to restart klogd?  I think >>I have 
>the same problem with one of my boxes.
>
>/etc/rc.d/init.d/syslog restart
>
>kill -HUP does not do the trick.

It has been my experience that 'kill -HUP syslogd' actually CAUSES klogd to stop 
working in both stock 7.0 and 7.1.

By default klogd sends it's output to the syslog and it doen't seem to like syslogd 
being restarted, only stopping and starting klogd will get it going again (klogd halts 
on a SIGHUP).  Issuing  '/etc/rc.d/init.d/syslog restart' fixes the problem because it 
stops and starts syslogd and klogd in turn.

So, it is a possibility that your problem arises from  'killall -HUP syslogd' getting 
called via cron scripts or elsewhere.  The syslog logrotate file is one culprit.  If 
you make no alteration to the default cron/logrotate scripts, then kernel logging will 
work ok from boot until the first weekend and then stop working until klogd is 
restarted.

Getting klogd to log direct to a file might be worth trying too, (klogd -f file).

Regards,

David

RE: [expert] ipchains logging

[David McCreary]

>> Out of curiosity, what command are you using to restart klogd?  I think >>I have 
>the same problem with one of my boxes.
>
>/etc/rc.d/init.d/syslog restart
>
>kill -HUP does not do the trick.

It has been my experience that 'kill -HUP syslogd' actually CAUSES klogd to stop 
working in both stock 7.0 and 7.1.

By default klogd sends it's output to the syslog and it doen't seem to like syslogd 
being restarted, only stopping and starting klogd will get it going again (klogd halts 
on a SIGHUP).  Issuing  '/etc/rc.d/init.d/syslog restart' fixes the problem because it 
stops and starts syslogd and klogd in turn.

So, it is a possibility that your problem arises from  'killall -HUP syslogd' getting 
called via cron scripts or elsewhere.  The syslog logrotate file is one culprit.  If 
you make no alteration to the default cron/logrotate scripts, then kernel logging will 
work ok from boot until the first weekend and then stop working until klogd is 
restarted.

Getting klogd to log direct to a file might be worth trying too, (klogd -f file).

Regards,

David







>> Out of curiosity, what command are you using to restart 
klogd?  I think >>I have the same problem with one of my 
boxes.>>/etc/rc.d/init.d/syslog restart>>kill -HUP 
does not do the trick.
 
It has been my experience that 'kill -HUP syslogd' actually CAUSES klogd to 
stop working in both stock 7.0 and 7.1.
 
By default klogd sends it's output to the syslog and it doen't seem to like 
syslogd being restarted, only stopping and starting klogd will get it going 
again (klogd halts on a SIGHUP).  Issuing  '/etc/rc.d/init.d/syslog 
restart' fixes the problem because it stops and starts syslogd and klogd in 
turn.
 
So, it is a possibility that your problem arises from  'killall -HUP 
syslogd' getting called via cron scripts or elsewhere.  The 
syslog logrotate file is one culprit.  If you make no alteration 
to the default cron/logrotate scripts, then kernel logging will work 
ok from boot until the first weekend and then stop working until klogd is 
restarted.
 
Getting klogd to log direct to a file might be worth trying too, (klogd -f 
file).
 
Regards,
 
David

RE: [expert] ipchains logging

[Tony Smith]

> Sorry I couldn't be of any better help... but at eleast you've succeded in
> figuring out exactly what's not working.

Thanks anyway.

> Maybe you can just add klogd to the cron.daily and cron restart
> it for you.

That's what I've done. Seems to be working fine.

> I have no idea why klogd should fail so regularly...I haven't been paying
> attention to my MDK messages, since my firewall is a RH box. klogd doesn't
> crap out in RH, not at least the installs I've had experience with.

Maybe I should grab the RH klogd. I might just do that at some point and see
if it works, but I've got a lot on at the moment so it will have to wait.

Regards,

Tony

RE: [expert] ipchains logging

[Tony Smith]

> Out of curiosity, what command are you using to restart klogd?  I think I
> have the same problem with one of my boxes.

/etc/rc.d/init.d/syslog restart

kill -HUP does not do the trick.

Tony

Re: [expert] ipchains logging

[Greg Stewart]

Sorry I couldn't be of any better help... but at eleast you've succeded in
figuring out exactly what's not working.

Maybe you can just add klogd to the cron.daily and cron restart it for you.
I have no idea why klogd should fail so regularly...I haven't been paying
attention to my MDK messages, since my firewall is a RH box. klogd doesn't
crap out in RH, not at least the installs I've had experience with.

I wonder if it's something in the MDK implementation/config...but I have no
clue.

It a cheap fix, but I guess it'll work nontheless.

--Greg
>
> Well the bad news is that after about 4 days, even with the latest klogd
and
> kernel 2.2.16-9mdksecure, DENY packet messages stop being logged. The good
> news is that I've isolated the problem to klogd since restarting that
> restarts the messages.
>
> Looks like I'll just restart it every night for now.
>
> Thanks for all the help.
>
> Tony
> ===
> Tony Smith
> Email: [EMAIL PROTECTED]
> ===
>
>

 
__
message envoye depuis http://www.ifrance.com
emails (pop)-sites persos (espace illimite)-agenda-favoris (bookmarks)-forums 
Ecoutez ce message par tel ! : 08 92 68 92 15 (france uniquement)

RE: [expert] ipchains logging

[Zaleski, Matthew (M.E.)]

Out of curiosity, what command are you using to restart klogd?  I think I
have the same problem with one of my boxes.

Matt

> -Original Message-
> From: Tony Smith [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 24, 2000 9:43 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [expert] ipchains logging
> 
> 
> > Hi Greg,
> >
> > > Hey, I've just realised something...
> > >
> > > For a while after my firewall comes up, I get a few logged DENY
> > > packet, and
> > > an occasional portsentry attack alert, but after some 
> time, the network
> > > seems to go very quite. I had checked my machine fromwork this
> > afternoon,
> > > and nothing was recorded since last nite.
> > >
> > > So, I decided to force a response and I telnetted into my 
> machine. This
> > > triggerred the firewall and it logged the DENY packets.
> >
> > I tried this a while back, and my machine *didn't* log the 
> DENY records.
> >
> > > Now, my situtation may actually be nothing like yours... 
> but I wonder if
> > > your area of the network quites down a bit (ie: stops pounding
> > you if they
> > > no one can really see your machine)?
> > >
> > > Any thoughts? How did the new rpms works? Have you tried them?
> >
> > So far, so good. I want to give it a few more days before I
> > declare it resolved, but I'm still getting the messages since I
> > ungraded the sysklogd package. I'll let you know towards the end
> > of the week.
> >
> 
> Well the bad news is that after about 4 days, even with the 
> latest klogd and
> kernel 2.2.16-9mdksecure, DENY packet messages stop being 
> logged. The good
> news is that I've isolated the problem to klogd since restarting that
> restarts the messages.
> 
> Looks like I'll just restart it every night for now.
> 
> Thanks for all the help.
> 
> Tony
> ===
> Tony Smith
> Email: [EMAIL PROTECTED]
> ===
> 
> 
> 

RE: [expert] ipchains logging

[Tony Smith]

> Hi Greg,
>
> > Hey, I've just realised something...
> >
> > For a while after my firewall comes up, I get a few logged DENY
> > packet, and
> > an occasional portsentry attack alert, but after some time, the network
> > seems to go very quite. I had checked my machine fromwork this
> afternoon,
> > and nothing was recorded since last nite.
> >
> > So, I decided to force a response and I telnetted into my machine. This
> > triggerred the firewall and it logged the DENY packets.
>
> I tried this a while back, and my machine *didn't* log the DENY records.
>
> > Now, my situtation may actually be nothing like yours... but I wonder if
> > your area of the network quites down a bit (ie: stops pounding
> you if they
> > no one can really see your machine)?
> >
> > Any thoughts? How did the new rpms works? Have you tried them?
>
> So far, so good. I want to give it a few more days before I
> declare it resolved, but I'm still getting the messages since I
> ungraded the sysklogd package. I'll let you know towards the end
> of the week.
>

Well the bad news is that after about 4 days, even with the latest klogd and
kernel 2.2.16-9mdksecure, DENY packet messages stop being logged. The good
news is that I've isolated the problem to klogd since restarting that
restarts the messages.

Looks like I'll just restart it every night for now.

Thanks for all the help.

Tony
===
Tony Smith
Email: [EMAIL PROTECTED]
===

RE: [expert] ipchains logging

[Tony Smith]

Hi Greg,

> Hey, I've just realised something...
>
> For a while after my firewall comes up, I get a few logged DENY
> packet, and
> an occasional portsentry attack alert, but after some time, the network
> seems to go very quite. I had checked my machine fromwork this afternoon,
> and nothing was recorded since last nite.
>
> So, I decided to force a response and I telnetted into my machine. This
> triggerred the firewall and it logged the DENY packets.

I tried this a while back, and my machine *didn't* log the DENY records.

> Now, my situtation may actually be nothing like yours... but I wonder if
> your area of the network quites down a bit (ie: stops pounding you if they
> no one can really see your machine)?
>
> Any thoughts? How did the new rpms works? Have you tried them?

So far, so good. I want to give it a few more days before I declare it
resolved, but I'm still getting the messages since I ungraded the sysklogd
package. I'll let you know towards the end of the week.

Thanks for the help,

Tony

Re: [expert] ipchains logging

[Greg Stewart]

Hey, I've just realised something...

For a while after my firewall comes up, I get a few logged DENY packet, and
an occasional portsentry attack alert, but after some time, the network
seems to go very quite. I had checked my machine fromwork this afternoon,
and nothing was recorded since last nite.

So, I decided to force a response and I telnetted into my machine. This
triggerred the firewall and it logged the DENY packets.

Now, my situtation may actually be nothing like yours... but I wonder if
your area of the network quites down a bit (ie: stops pounding you if they
no one can really see your machine)?

Any thoughts? How did the new rpms works? Have you tried them?

--Greg



> > You've gotten Logcheck from Psionic, did you also get (and install)
> > Portsentry?
>
> I certainly did.
>
> > If portsentry was tripped, and added the offending host to the route
table
> > and the IP to the /etc/hosts.dent file, no packets will be logged for
that
> > host anymore.
>
> 'Fraid not. No-one's got through the firewall to PortSentry. Nothing has
> been added to either /etc/portsentry/portsentry.blocked.atcp or
> /etc/portsentry/portsentry.blocked.audp so no-one's tripped it. Also I
have
> PortSentry configured so that it's using ipchains, not TCP wrappers, and
the
> ipchains rule it uses to block intruders includes the -l flag.
>
> > Or, is it that DENY pakect logging stops altogether for ALL
> > offenders after
> > a while?
>
> That's the sucker! A reboot cures it briefly, but you know how us Linux
> peeps hate reboots ;-)
>
> Thanks,
>
> Tony
>
>

 
__
message envoye depuis http://www.ifrance.com
emails (pop)-sites persos (espace illimite)-agenda-favoris (bookmarks)-forums 
Ecoutez ce message par tel ! : 08 92 68 92 15 (france uniquement)

RE: [expert] ipchains logging

[Tony Smith]

> I can't remember where, but I know that I *did* hear/read sometime in the
> very near past about something being buggy about syslogd--don't know if it
> was a version problem or an install problem (or whatever else...)
>
> Have you tried stopping syslog and doing anrpm -Uvh
> or maybe an rpm -i --replacepkgs   on the syslogd rpm? I don't see an
> update for it, so I don't think the version itself is buggy, but maybe
> something happened at some point with your install of the daemon.

Did an rpm --verify on the package and it all looks OK. I've now upgraded to
the version used in 7.1 so I'll see how that goes but restarting my 7.0
syslogd and klogd had no effect.

Thanks anyway.

Tony

Re: [expert] ipchains logging

[Denis Havlik]

Sory, john...

This time it is not sympa, it is our mailserver, DNS and god knows what
else not playing nice, and believe me I'm quite pissed of myself
too. Charles has promised that at least the DNS problem should be solved
"soon", but there is basically nothing I can do at the moment :-(

I really do not understand it: sympa picks up the mail, gives it to
postfix, and postfix is supposed to deliver it.

This receipt:

# We will not tolerate any X-Loop-s!
:0:
* X-Loop:.*\@(linux\-mandrake|mandrakesoft)\.com
 mail/Xloop

should strike in case of the loops, and there is no chance of
sympa-caused dupes because its queue is empty. (Hm, maybe I'm wrong on
this one... But i have never seen much more than 2-3 messages in the queue
since i switched to a new server, so if sympa dies it should at least not
cause MANY dupes.) 

In short, I do not understand what is going on, and prefere to hack on
mandrakeforum.com at the moment than kill myself looking at mailserver
gone mad. When Charles tells me that our DNS entry is OK, I'll look at it
again.

###
I wrote the text above yesterday. Today, mailserver seams to be working
very nicely for the first time since we made a switch. But DNS is still
troublesome:

...
Aug 18 03:55:33 yavin
postfix/smtp[10490]: D9E111CE6E: to=<[EMAIL PROTECTED]>,
relay=tdwarf.arc.nasa.gov[128.102.217.54], delay=28725, status=deferred
(host tdwarf.arc.nasa.gov[128.102.217.54] said: 450 Client host
rejected: cannot find your hostname, [63.209.80.226])
...
## 

In the meantime, I have (partially) hacked in the  e-mail notification for
the "mandrakeforum.com". So far, following works:

1) answers to your own posts are forwarded to you
2) mailing list where all forum-topics go ([EMAIL PROTECTED])
  
Forum is still experimental, buggy, and and its machine can not handle
much load, but it is much more fun than mailing lists, i like working on
it, and it does not cause any mail-loops or bounces. :-b

cu
Denis 

:~>On Thu, 17 Aug 2000, you wrote:
:~>> I've noticed the same thing. I checked out www.mandrax.org and it says 
:~>> Welcome to Linux-Mandrake Website
:~>> but goes into a refresh loop
:~>> 
:~>And I keep getting bounce messages from a UK server stating first
:~>that "[EMAIL PROTECTED]" doesn't exist and now that
:~>"[EMAIL PROTECTED]" doesn't exist! *sigh* 
:~>
:~>I hate to say this, 'cause I think Denis is a nice guy and is trying
:~>really hard, but I can't stand the dupe loops, so I think I'm gonna
:~>sign back off this list!
:~>
:~>Denis, would you be kind enough to let me know when you've got the
:~>bounce messages and dupe messages problem fixed? I get MORE than
:~>enough mail here w/o getting dupes! :-(
:~>
:~>Thanks... and maybe I'll try Mandrake 7.2 (or whatever the next
:~>version is! ) when it comes out now that y'all have a
:~>TOTALLY separate release version under your belts. :-)
:~> John
:~>

-- 
-
Dr. Denis Havlik
Mandrakesoft||| e-mail: [EMAIL PROTECTED]
Quality Assurance  (@ @)(private: [EMAIL PROTECTED])
---oOO--(_)--OOo-
The mailserver is on strike. It wants better working conditions,
paid days off and a female connector. ([EMAIL PROTECTED])

Re: [expert] ipchains logging

[Greg Stewart]

I can't remember where, but I know that I *did* hear/read sometime in the
very near past about something being buggy about syslogd--don't know if it
was a version problem or an install problem (or whatever else...)

Have you tried stopping syslog and doing anrpm -Uvh
or maybe an rpm -i --replacepkgs   on the syslogd rpm? I don't see an
update for it, so I don't think the version itself is buggy, but maybe
something happened at some point with your install of the daemon.

--Greg



> > You've gotten Logcheck from Psionic, did you also get (and install)
> > Portsentry?
>
> I certainly did.
>
> > If portsentry was tripped, and added the offending host to the route
table
> > and the IP to the /etc/hosts.dent file, no packets will be logged for
that
> > host anymore.
>
> 'Fraid not. No-one's got through the firewall to PortSentry. Nothing has
> been added to either /etc/portsentry/portsentry.blocked.atcp or
> /etc/portsentry/portsentry.blocked.audp so no-one's tripped it. Also I
have
> PortSentry configured so that it's using ipchains, not TCP wrappers, and
the
> ipchains rule it uses to block intruders includes the -l flag.
>
> > Or, is it that DENY pakect logging stops altogether for ALL
> > offenders after
> > a while?
>
> That's the sucker! A reboot cures it briefly, but you know how us Linux
> peeps hate reboots ;-)
>
> Thanks,
>
> Tony
>
>

 
__
message envoye depuis http://www.ifrance.com
emails (pop)-sites persos (espace illimite)-agenda-favoris (bookmarks)-forums 
Ecoutez ce message par tel ! : 08 92 68 92 15 (france uniquement)

Re: [expert] ipchains logging

[Ken Thompson]

On Thu, 17 Aug 2000, you wrote:
> I've noticed the same thing. I checked out www.mandrax.org and it says 
> Welcome to Linux-Mandrake Website
> but goes into a refresh loop

Here's the offending line causing the loop:
http://www.mandrax.org/en/">
It should read:
http://www.linux-mandrake.com/en/">
 --  
Ken Thompson
Electrocom Computer Services
Payette, Idaho 83661
1-888-642-7101
Sales - Services - Repair
Web: http://www,nwaa.com
E-Mail: [EMAIL PROTECTED]
Registered Linux User #183936
Driver Petition sig.  # 00063954

Re: [expert] ipchains logging

[Bob]

I've noticed the same thing. I checked out www.mandrax.org and it says 
Welcome to Linux-Mandrake Website
but goes into a refresh loop

At 02:43 PM 8/17/2000 +0100, you wrote:
>Why do I keep getting messages from "mandrax.org"? Has the mailing list 
>changed
>in some way that I'm not aware of
>
>
>On Thu, 17 Aug 2000, you wrote:
> > You've gotten Logcheck from Psionic, did you also get (and install)
> > Portsentry?
> >
> > If portsentry was tripped, and added the offending host to the route table
> > and the IP to the /etc/hosts.dent file, no packets will be logged for that
> > host anymore.
> >
> > Or, is it that DENY pakect logging stops altogether for ALL offenders after
> > a while?
> >
> > --Greg
> >
> > > Hi,
> > >
> > > There was a thread on this a while back, but after a while ipchains stops
> > > logging denied packet messages to /var/log/messages and it all goes
> > > suspiciously quiet. I know it's not logrotate that's causing the problem
> > > because I'm using Psionic logcheck to scan my logs every 15 minutes and
> > it's
> > > smart enough to cope with log rotations (mostly).
> > >
> > > I'm running MDK 7.0 with kernel 2.2.16-9mdksecure (from the 7.1 updates)
> > >
> > > Any suggestions gratefully received.
> > >
> > > TIA,
> > >
> > > Tony
> > > ===
> > > Tony Smith
> > > Email: [EMAIL PROTECTED]
> > > Tel: +44 1189 893200
> > > ===
> > >
> > >
> >
> >
> > 
> __
> > message envoye depuis http://www.ifrance.com
> > emails (pop)-sites persos (espace illimite)-agenda-favoris 
> (bookmarks)-forums
> > Ecoutez ce message par tel ! : 08 92 68 92 15 (france uniquement)
>--
>
>Regards
>
>Phil Edwards
>Technical Services Engineer
>==
>Travellog Systems Phone +44 (0)1444 459016
>The Priory, Haywards HeathFax   +44 (0)1444 456655
>West Sussex, RH16 3LB  mailto:[EMAIL PROTECTED]
>United Kingdom  http://www.travellog.co.uk
>==

RE: [expert] ipchains logging

[Tony Smith]

I don't know, but I'm getting them too???

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Phil Edwards
> Sent: 17 August 2000 14:44
> To: [EMAIL PROTECTED]
> Subject: Re: [expert] ipchains logging
>
>
> Why do I keep getting messages from "mandrax.org"? Has the
> mailing list changed
> in some way that I'm not aware of
>
>
> On Thu, 17 Aug 2000, you wrote:
> > You've gotten Logcheck from Psionic, did you also get (and install)
> > Portsentry?
> >
> > If portsentry was tripped, and added the offending host to the
> route table
> > and the IP to the /etc/hosts.dent file, no packets will be
> logged for that
> > host anymore.
> >
> > Or, is it that DENY pakect logging stops altogether for ALL
> offenders after
> > a while?
> >
> > --Greg
> >
> > > Hi,
> > >
> > > There was a thread on this a while back, but after a while
> ipchains stops
> > > logging denied packet messages to /var/log/messages and it all goes
> > > suspiciously quiet. I know it's not logrotate that's causing
> the problem
> > > because I'm using Psionic logcheck to scan my logs every 15
> minutes and
> > it's
> > > smart enough to cope with log rotations (mostly).
> > >
> > > I'm running MDK 7.0 with kernel 2.2.16-9mdksecure (from the
> 7.1 updates)
> > >
> > > Any suggestions gratefully received.
> > >
> > > TIA,
> > >
> > > Tony
> > > ===
> > > Tony Smith
> > > Email: [EMAIL PROTECTED]
> > > Tel: +44 1189 893200
> > > ===
> > >
> > >
> >
> >
> >
> __
> 
> > message envoye depuis http://www.ifrance.com
> > emails (pop)-sites persos (espace illimite)-agenda-favoris
> (bookmarks)-forums
> > Ecoutez ce message par tel ! : 08 92 68 92 15 (france uniquement)
> --
>
> Regards
>
> Phil Edwards
> Technical Services Engineer
> ==
> Travellog Systems Phone +44 (0)1444 459016
> The Priory, Haywards HeathFax   +44 (0)1444 456655
> West Sussex, RH16 3LB  mailto:[EMAIL PROTECTED]
> United Kingdom  http://www.travellog.co.uk
> ==
>

Re: [expert] ipchains logging

[Phil Edwards]

Why do I keep getting messages from "mandrax.org"? Has the mailing list changed
in some way that I'm not aware of


On Thu, 17 Aug 2000, you wrote:
> You've gotten Logcheck from Psionic, did you also get (and install)
> Portsentry?
> 
> If portsentry was tripped, and added the offending host to the route table
> and the IP to the /etc/hosts.dent file, no packets will be logged for that
> host anymore.
> 
> Or, is it that DENY pakect logging stops altogether for ALL offenders after
> a while?
> 
> --Greg
> 
> > Hi,
> >
> > There was a thread on this a while back, but after a while ipchains stops
> > logging denied packet messages to /var/log/messages and it all goes
> > suspiciously quiet. I know it's not logrotate that's causing the problem
> > because I'm using Psionic logcheck to scan my logs every 15 minutes and
> it's
> > smart enough to cope with log rotations (mostly).
> >
> > I'm running MDK 7.0 with kernel 2.2.16-9mdksecure (from the 7.1 updates)
> >
> > Any suggestions gratefully received.
> >
> > TIA,
> >
> > Tony
> > ===
> > Tony Smith
> > Email: [EMAIL PROTECTED]
> > Tel: +44 1189 893200
> > ===
> >
> >
> 
>  
> __
> message envoye depuis http://www.ifrance.com
> emails (pop)-sites persos (espace illimite)-agenda-favoris (bookmarks)-forums 
> Ecoutez ce message par tel ! : 08 92 68 92 15 (france uniquement)
-- 

Regards

Phil Edwards
Technical Services Engineer
==
Travellog Systems Phone +44 (0)1444 459016
The Priory, Haywards HeathFax   +44 (0)1444 456655
West Sussex, RH16 3LB  mailto:[EMAIL PROTECTED]
United Kingdom  http://www.travellog.co.uk
==

RE: [expert] ipchains logging

[Tony Smith]

> One cute thing I noticed about logcheck...after I dumped the output of
> dmesg into logcheck.ignore (with appropriate changes to account for
> differing PID's) logcheck stopped supplying anything...I checked the
> output twice for wildcards that went to far and couldn't find any...after
> I deleted the dmesg lines and put some more general items in...logcheck
> started.
>
> Either I mucked up and didn't see it later or theres a maximum number of
> lines logcheck will parse.
>
> Dont think this is the problem mentioned above...just thought I'd mention
> it as an associated experience :)
> Sorry for the waffle
> AG

It's interesting alright, but as you say not the problem - I've grep'd
/var/log/messages* for DENY messages and there are none since about 4 days
after my last reboot.

I have had some difficulty getting logcheck to ignore some other messages
though (postfix stuff), so perhaps I should move them higher up the list ...

Thanks,

Tony

RE: [expert] ipchains logging

[Tony Smith]

> You've gotten Logcheck from Psionic, did you also get (and install)
> Portsentry?

I certainly did.

> If portsentry was tripped, and added the offending host to the route table
> and the IP to the /etc/hosts.dent file, no packets will be logged for that
> host anymore.

'Fraid not. No-one's got through the firewall to PortSentry. Nothing has
been added to either /etc/portsentry/portsentry.blocked.atcp or
/etc/portsentry/portsentry.blocked.audp so no-one's tripped it. Also I have
PortSentry configured so that it's using ipchains, not TCP wrappers, and the
ipchains rule it uses to block intruders includes the -l flag.

> Or, is it that DENY pakect logging stops altogether for ALL
> offenders after
> a while?

That's the sucker! A reboot cures it briefly, but you know how us Linux
peeps hate reboots ;-)

Thanks,

Tony

Re: [expert] ipchains logging

[Andrew George]

On Thu, 17 Aug 2000, Greg Stewart wrote:

> You've gotten Logcheck from Psionic, did you also get (and install)
> Portsentry?
> 
> If portsentry was tripped, and added the offending host to the route table
> and the IP to the /etc/hosts.dent file, no packets will be logged for that
> host anymore.
> 
> Or, is it that DENY pakect logging stops altogether for ALL offenders after
> a while?
> 
> --Greg
> 
> > Hi,
> >
> > There was a thread on this a while back, but after a while ipchains stops
> > logging denied packet messages to /var/log/messages and it all goes
> > suspiciously quiet. I know it's not logrotate that's causing the problem
> > because I'm using Psionic logcheck to scan my logs every 15 minutes and
> it's
> > smart enough to cope with log rotations (mostly).
> >
> > I'm running MDK 7.0 with kernel 2.2.16-9mdksecure (from the 7.1 updates)
> >
> > Any suggestions gratefully received.
> >

One cute thing I noticed about logcheck...after I dumped the output of
dmesg into logcheck.ignore (with appropriate changes to account for
differing PID's) logcheck stopped supplying anything...I checked the
output twice for wildcards that went to far and couldn't find any...after
I deleted the dmesg lines and put some more general items in...logcheck
started.

Either I mucked up and didn't see it later or theres a maximum number of
lines logcheck will parse.

Dont think this is the problem mentioned above...just thought I'd mention
it as an associated experience :)
Sorry for the waffle
AG 

Re: [expert] ipchains logging

[Greg Stewart]

You've gotten Logcheck from Psionic, did you also get (and install)
Portsentry?

If portsentry was tripped, and added the offending host to the route table
and the IP to the /etc/hosts.dent file, no packets will be logged for that
host anymore.

Or, is it that DENY pakect logging stops altogether for ALL offenders after
a while?

--Greg

> Hi,
>
> There was a thread on this a while back, but after a while ipchains stops
> logging denied packet messages to /var/log/messages and it all goes
> suspiciously quiet. I know it's not logrotate that's causing the problem
> because I'm using Psionic logcheck to scan my logs every 15 minutes and
it's
> smart enough to cope with log rotations (mostly).
>
> I'm running MDK 7.0 with kernel 2.2.16-9mdksecure (from the 7.1 updates)
>
> Any suggestions gratefully received.
>
> TIA,
>
> Tony
> ===
> Tony Smith
> Email: [EMAIL PROTECTED]
> Tel: +44 1189 893200
> ===
>
>

 
__
message envoye depuis http://www.ifrance.com
emails (pop)-sites persos (espace illimite)-agenda-favoris (bookmarks)-forums 
Ecoutez ce message par tel ! : 08 92 68 92 15 (france uniquement)

[expert] ipchains logging

[Tony Smith]

Hi,

There was a thread on this a while back, but after a while ipchains stops
logging denied packet messages to /var/log/messages and it all goes
suspiciously quiet. I know it's not logrotate that's causing the problem
because I'm using Psionic logcheck to scan my logs every 15 minutes and it's
smart enough to cope with log rotations (mostly).

I'm running MDK 7.0 with kernel 2.2.16-9mdksecure (from the 7.1 updates)

Any suggestions gratefully received.

TIA,

Tony
===
Tony Smith
Email: [EMAIL PROTECTED]
Tel: +44 1189 893200
===

Re: [expert] ipchains logging

[Vincent Danen]

On Tue, 16 May 2000, Suppiluliuma wrote:

> > What file, specifically, does ipchains log to when I use -l?  It says it
> > writes to syslog but when I look in /var/log, I don't see anything that it
> > writes to and I'm trying to debug a firewall script...  any info is
> > appreciated.
> 
> Logs from ipchains go to the same place as all your logs from
> kernel, exact location depends on your syslog configuration. Take a look
> in /etc/syslog.conf and find a line with:
>  kern.* 
> on the same line there should be a name of file where the kernel logs go
> to. If you can't find such line then probably you have line similar
> to:
> 
> *.info;mail.none;news.none;authpriv.none  /var/log/messages
> 
> which says that messages from most facilities (including kernel) go to
> /var/log/messages.

Ok, the kern.* line is commented out (would be directed to
/dev/console) so I uncommented and put it to /var/log/kernel.  Looking at
it, those kernel messages that now show up in /var/log/kernel don't show
up in /var/log/messages.  I'm assuming this is a Mandrake default because
I never changed it.

-- 
[EMAIL PROTECTED], OpenPGP key available on www.keyserver.net
Freezer Burn BBS:  telnet://bbs.freezer-burn.org . ICQ: 54924721
Webmaster for the Linux Portal Site Freezer Burn:  http://www.freezer-burn.org

Re: [expert] ipchains logging

[Suppiluliuma]

On Mon, 15 May 2000, Vincent Danen wrote:
> What file, specifically, does ipchains log to when I use -l?  It says it
> writes to syslog but when I look in /var/log, I don't see anything that it
> writes to and I'm trying to debug a firewall script...  any info is
> appreciated.

Logs from ipchains go to the same place as all your logs from
kernel, exact location depends on your syslog configuration. Take a look
in /etc/syslog.conf and find a line with:
 kern.* 
on the same line there should be a name of file where the kernel logs go
to. If you can't find such line then probably you have line similar
to:

*.info;mail.none;news.none;authpriv.none/var/log/messages

which says that messages from most facilities (including kernel) go to
/var/log/messages.

Regards

-- 
Registered Linux user #166697
visit http://counter.li.org to register
Sign the petition at http://www.libranet.com/petition.html
Help bring us more Linux Drivers

Re: [expert] ipchains logging

[Vincent Danen]

On Tue, 16 May 2000, Lee Willis wrote:

> > What file, specifically, does ipchains log to when I use -l?  It says it
> > writes to syslog but when I look in /var/log, I don't see anything that it
> > writes to and I'm trying to debug a firewall script...  any info is
> > appreciated.
> 
> Typically it is /var/log/messages unless you have specified otherwise in
> /etc/syslog.conf
> 
> Hope that helps

I look in /var/log/messages and don't see anything logged by
ipchains.  How would I change it in syslog.conf to log to another file so
I can check it?  It should be logging stuff but it isn't to my knowledge
as I don't see anything at all.

-- 
[EMAIL PROTECTED], OpenPGP key available on www.keyserver.net
Freezer Burn BBS:  telnet://bbs.freezer-burn.org . ICQ: 54924721
Webmaster for the Linux Portal Site Freezer Burn:  http://www.freezer-burn.org

Re: [expert] ipchains logging

[Lee Willis]

Vincent Danen wrote:
> 
> What file, specifically, does ipchains log to when I use -l?  It says it
> writes to syslog but when I look in /var/log, I don't see anything that it
> writes to and I'm trying to debug a firewall script...  any info is
> appreciated.

Typically it is /var/log/messages unless you have specified otherwise in
/etc/syslog.conf

Hope that helps

Lee

[expert] ipchains logging

[Vincent Danen]

What file, specifically, does ipchains log to when I use -l?  It says it
writes to syslog but when I look in /var/log, I don't see anything that it
writes to and I'm trying to debug a firewall script...  any info is
appreciated.

-- 
[EMAIL PROTECTED], OpenPGP key available on www.keyserver.net
Freezer Burn BBS:  telnet://bbs.freezer-burn.org . ICQ: 54924721
Webmaster for the Linux Portal Site Freezer Burn:  http://www.freezer-burn.org