From owner-freebsd-questions@FreeBSD.ORG Fri Jan 23 06:12:26 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E95A16A4CE for ; Fri, 23 Jan 2004 06:12:26 -0800 (PST) Received: from postino-1.etat.lu (postino-1.etat.lu [194.154.205.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0559943D64 for ; Fri, 23 Jan 2004 06:11:57 -0800 (PST) (envelope-from didier.wiroth@mcesr.etat.lu) Received: from avirus.cie.etat.lu (avirus.cie.etat.lu [148.110.136.55]) by postino-1.etat.lu (Postfix) with ESMTP id 59A1D387151 for ; Fri, 23 Jan 2004 15:11:56 +0100 (CET) Received: from hermes-2 (localhost [127.0.0.1]) by avirus.cie.etat.lu (8.11.7+Sun/8.8.8) with ESMTP id i0NEBsM19713 for ; Fri, 23 Jan 2004 15:11:54 +0100 (MET) Received: from conversion-daemon.mail.etat.lu by mail.etat.lu (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) id <0HRY00L013ROKZ@mail.etat.lu> for freebsd-questions@freebsd.org; Fri, 23 Jan 2004 15:11:54 +0100 (MET) Received: from lucy ([148.110.43.189])18 2003)) freebsd-questions@freebsd.org; Fri, 23 Jan 2004 15:11:07 +0100 (MET) Date: Fri, 23 Jan 2004 15:11:17 +0100 From: Didier WIROTH In-reply-to: To: freebsd-questions@freebsd.org Message-id: <0HRY00B254QJOX@mail.etat.lu> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Thread-index: AcPhsy0vUcOgd7LJSdaIp65zvN2LSQABWbnA Subject: RE: log_in_vain="YES" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2004 14:12:26 -0000 Thanks for answering. No actually I don't think someone is spoofing. There is a firewall (other machine, actually) blocking any kind of incoming&outgoing 127. adresses. So I don't think (at this time) that this is the problem. What I ment with cron, is that there are daily reports the are being sent via sendmail. I've this sendmail option in rc.conf: sendmail_enable="NO". Sendmail is only listening on localhost. I assume that my freebsd host sends a auth command to 127.0.0.1 because a sendmail connection is being tried from 127.0.0.1. The samples of my 127.0.0.1 entries corresponds exactly at the time, that the daily reports arrives. Perhaps someone could confirm this? -----Original Message----- From: fbsd_user [mailto:fbsd_user@a1poweruser.com] Sent: vendredi 23 janvier 2004 14:17 To: Didier WIROTH; freebsd-questions@freebsd.org Subject: RE: log_in_vain="YES" If this is happening while your system is connected to the public internet then your system is under attack by somebody who is spoofing ip address 127.0.0.1. Port 113 is the ident protocol. There is no reason for the cron jobs to be doing that. You should power off you system when not in use at least until you install an firewall software solution. You really need an firewall, and should use IPFILTER as it's stateful keep-state rules function work correctly. FBSD's ipfw stateful rules are broken when used with ipfw's divert/natd function.