syslog output ....

William A. Mahaffey III wam at hiwaay.net
Sun Oct 12 18:23:33 UTC 2014 

On 10/12/14 12:04, Arthur Chance wrote:
> On 12/10/2014 16:13, William A. Mahaffey III wrote:
>>
>>
>> .... I did a 'pkg upgrade a few days ago (Oct 8). Since then I have been
>> seeing messages like the following in my /var/log/messages file:
>>
>>
>>
>> Oct 12 09:08:13 kabini1 kernel: TCP: [192.168.0.9]:43713 to
>> [192.168.0.27]:1839 tcpflags 0x2<SYN>; tcp_input: Connection attempt to
>> closed port
> [Lots snipped]
>
>>
>> I did an nmap of this machine this A.M., right about 9:08, from
>> 192.168.0.9, so I think that's what prompted the output. I have done
>> that nmap in the past, w/ no such output in my messages file. What
>> changed so that I am now seeing it ? How can I trim it down such that it
>> ignores other boxen on my LAN ? Before the nmap, I had:
>>
>
> Didn't we recently discuss turning on net.inet.tcp.log_in_vain? That's 
> the sort of output you get, and nmap will trigger it when hitting 
> unopen ports. The log_in_vain sysctls are all or nothing, AFAIK you 
> can't tell them to ignore some hosts/networks. Either don't nmap scan 
> the machine or turn off the logging during the scan if you don't want 
> to see it.

Yes, we did. I just wasn't clear on exactly what sort of output it would 
give. Thanks for the clarification :-).

>
>>
>> Oct  9 03:03:05 kabini1 kernel: TCP: [127.0.0.1]:33651 to
>> [127.0.0.1]:113 tcpflags 0x2<SYN>; tcp_input: Connection attempt to
>> closed port
> [More snipped]
>
> That's the sort of thing I see on my machine. Port 113 is the ident 
> (aka auth) service. As the addresses are all 127.0.0.1 your machine is 
> asking itself to identify who is responsible for network connections 
> to itself! If you can't work out what is causing it (I never could, 
> but didn't try very hard) you can shut it up by actually running an 
> auth service. Depending on what you feel like, either enable inetd and 
> uncomment one of the built in auth entries in /etc/inetd.conf, or 
> install one of net/hidentd (also needs inetd), net/widentd, 
> security/fakeident, security/oidentd or security/pidentd. That way 
> port 113 will be listening and responding.
>
>>
>> apparently from cron jobs I have scheduled @ ~3:00 A.M. & ~4:00 A.M. on
>> the local machine, i.e. it squawks about stuff from both other LAN boxen
>> & from onboard jobs .... The output from the nmap is obviously
>> voluminous & washes other output out of quick view (tail -50
>> /var/log/messages). The other output will get annoying, since it is
>> harmless. I would like to hear from other machines not on my LAN,
>> however. Any advice appreciated. TIA ....
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>


-- 

	William A. Mahaffey III

  ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.

More information about the freebsd-questions mailing list