Date: Sun, 12 Oct 2014 13:29:46 -0500 From: "William A. Mahaffey III" <wam@hiwaay.net> To: "FreeBSD Questions !!!!" <freebsd-questions@freebsd.org> Subject: Re: syslog output .... Message-ID: <543AC89A.7030308@hiwaay.net> In-Reply-To: <543AB4B0.90501@qeng-ho.org> References: <543A9A81.5080403@hiwaay.net> <543AB4B0.90501@qeng-ho.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/12/14 12:04, Arthur Chance wrote: > On 12/10/2014 16:13, William A. Mahaffey III wrote: >> >> >> .... I did a 'pkg upgrade a few days ago (Oct 8). Since then I have been >> seeing messages like the following in my /var/log/messages file: >> >> >> >> Oct 12 09:08:13 kabini1 kernel: TCP: [192.168.0.9]:43713 to >> [192.168.0.27]:1839 tcpflags 0x2<SYN>; tcp_input: Connection attempt to >> closed port > [Lots snipped] > >> >> I did an nmap of this machine this A.M., right about 9:08, from >> 192.168.0.9, so I think that's what prompted the output. I have done >> that nmap in the past, w/ no such output in my messages file. What >> changed so that I am now seeing it ? How can I trim it down such that it >> ignores other boxen on my LAN ? Before the nmap, I had: >> > > Didn't we recently discuss turning on net.inet.tcp.log_in_vain? That's > the sort of output you get, and nmap will trigger it when hitting > unopen ports. The log_in_vain sysctls are all or nothing, AFAIK you > can't tell them to ignore some hosts/networks. Either don't nmap scan > the machine or turn off the logging during the scan if you don't want > to see it. Yes, we did. I just wasn't clear on exactly what sort of output it would give. Thanks for the clarification :-). > >> >> Oct 9 03:03:05 kabini1 kernel: TCP: [127.0.0.1]:33651 to >> [127.0.0.1]:113 tcpflags 0x2<SYN>; tcp_input: Connection attempt to >> closed port > [More snipped] > > That's the sort of thing I see on my machine. Port 113 is the ident > (aka auth) service. As the addresses are all 127.0.0.1 your machine is > asking itself to identify who is responsible for network connections > to itself! If you can't work out what is causing it (I never could, > but didn't try very hard) you can shut it up by actually running an > auth service. Depending on what you feel like, either enable inetd and > uncomment one of the built in auth entries in /etc/inetd.conf, or > install one of net/hidentd (also needs inetd), net/widentd, > security/fakeident, security/oidentd or security/pidentd. That way > port 113 will be listening and responding. > >> >> apparently from cron jobs I have scheduled @ ~3:00 A.M. & ~4:00 A.M. on >> the local machine, i.e. it squawks about stuff from both other LAN boxen >> & from onboard jobs .... The output from the nmap is obviously >> voluminous & washes other output out of quick view (tail -50 >> /var/log/messages). The other output will get annoying, since it is >> harmless. I would like to hear from other machines not on my LAN, >> however. Any advice appreciated. TIA .... > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?543AC89A.7030308>