From owner-freebsd-questions@FreeBSD.ORG Sun Oct 12 18:23:33 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7FDF07C3 for ; Sun, 12 Oct 2014 18:23:33 +0000 (UTC) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4B69383C for ; Sun, 12 Oct 2014 18:23:32 +0000 (UTC) Received: from kabini1.local (rbn1-216-180-76-169.adsl.hiwaay.net [216.180.76.169]) (authenticated bits=0) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id s9CINVZj011112 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sun, 12 Oct 2014 13:23:31 -0500 Message-ID: <543AC89A.7030308@hiwaay.net> Date: Sun, 12 Oct 2014 13:29:46 -0500 From: "William A. Mahaffey III" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: "FreeBSD Questions !!!!" Subject: Re: syslog output .... References: <543A9A81.5080403@hiwaay.net> <543AB4B0.90501@qeng-ho.org> In-Reply-To: <543AB4B0.90501@qeng-ho.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Oct 2014 18:23:33 -0000 On 10/12/14 12:04, Arthur Chance wrote: > On 12/10/2014 16:13, William A. Mahaffey III wrote: >> >> >> .... I did a 'pkg upgrade a few days ago (Oct 8). Since then I have been >> seeing messages like the following in my /var/log/messages file: >> >> >> >> Oct 12 09:08:13 kabini1 kernel: TCP: [192.168.0.9]:43713 to >> [192.168.0.27]:1839 tcpflags 0x2; tcp_input: Connection attempt to >> closed port > [Lots snipped] > >> >> I did an nmap of this machine this A.M., right about 9:08, from >> 192.168.0.9, so I think that's what prompted the output. I have done >> that nmap in the past, w/ no such output in my messages file. What >> changed so that I am now seeing it ? How can I trim it down such that it >> ignores other boxen on my LAN ? Before the nmap, I had: >> > > Didn't we recently discuss turning on net.inet.tcp.log_in_vain? That's > the sort of output you get, and nmap will trigger it when hitting > unopen ports. The log_in_vain sysctls are all or nothing, AFAIK you > can't tell them to ignore some hosts/networks. Either don't nmap scan > the machine or turn off the logging during the scan if you don't want > to see it. Yes, we did. I just wasn't clear on exactly what sort of output it would give. Thanks for the clarification :-). > >> >> Oct 9 03:03:05 kabini1 kernel: TCP: [127.0.0.1]:33651 to >> [127.0.0.1]:113 tcpflags 0x2; tcp_input: Connection attempt to >> closed port > [More snipped] > > That's the sort of thing I see on my machine. Port 113 is the ident > (aka auth) service. As the addresses are all 127.0.0.1 your machine is > asking itself to identify who is responsible for network connections > to itself! If you can't work out what is causing it (I never could, > but didn't try very hard) you can shut it up by actually running an > auth service. Depending on what you feel like, either enable inetd and > uncomment one of the built in auth entries in /etc/inetd.conf, or > install one of net/hidentd (also needs inetd), net/widentd, > security/fakeident, security/oidentd or security/pidentd. That way > port 113 will be listening and responding. > >> >> apparently from cron jobs I have scheduled @ ~3:00 A.M. & ~4:00 A.M. on >> the local machine, i.e. it squawks about stuff from both other LAN boxen >> & from onboard jobs .... The output from the nmap is obviously >> voluminous & washes other output out of quick view (tail -50 >> /var/log/messages). The other output will get annoying, since it is >> harmless. I would like to hear from other machines not on my LAN, >> however. Any advice appreciated. TIA .... > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.