Kernel messages
jekillen
jekillen at prodigy.net
Fri Apr 21 07:04:35 UTC 2006
On Apr 20, 2006, at 7:50 PM, Kevin Kinsey wrote:
> jekillen wrote:
>
>> Hello;
>> I have a question about a disconcerting event relayed to me from my
>> kernel.
>> there are eight entries regarding network interface status:
>> rl0 link changed to DOWN
>> " " " UP
>> " " " DOWN
>> " " " UP
>> sis0 promiscuous mode enabled
>> " " disabled
>> " " enabled
>> " " disabled
>> The disconcerting entries are re sis0 promiscuous mode enabled.
>> Is the kernel trying to eaves drop on someone?
>
>
> Not without assistance, most likely ;-).
>
>> One link is to the inside network and the other is to static ip
>> address
>> that is assigned but as yet has not been configured on the router to
>> receive requests from outside.
>> I admit, I am learning at this point. I've been watching the router
>> security log and
>> have seen just in the last week (as long as it has had the static
>> ip's assigned)
>> several hundred broadcast amplification attempts blocked.
>> And I have been reading my root mail and am now interested in a
>> tutorial or
>> some published specifics about how to interpret these messages.
>> I'm running v6 release on AMD64. I'm setting up to host a web site.
>> thanks in advance.
>> JK
>> PS in the mean time I will be going through what I have already.
>
>
> Generally, "promiscuous mode" is pretty much what you
> have guessed ... used in network analysis. Software such
> as bpf(4), and higher level apps such as netgraph, tcpdump,
> ethereal, etc. use "promiscuous mode" to grab network traffic.
> So, the first thing you ask yourself is, have I (or anyone allowed
> to be "root") used any of this type of software?
>
> There might be other explanations, but I'm not suitably
> prepared to address them.
>
> Kevin Kinsey
>
There are 2 factors that bear directly on this situation:
I am the only one who uses these machines on the inside network.
I have not been able to get into the web site from out side (so I
presume no one else can either)
For this reason it appears that the kernel may be doing security audits
based on, possibly,
suspicious events. But sis0 is the inside network interface. If I read
the time correctly, I.E.
03 being 3 o'clock in the morning, this machine is the only one beside
the router and a n.a.s device
that are running. And this is the first time in the eight weeks total
that this machine has been operational,
that I have seen this message. Could the phone co be 'phishing' around?
(SBC). Anyhow that's why
I questioned the phone co's $250 installation charge, I told them I
know how to set up the network and
DNS stuff and was concerned about the possibility of a technician
putting a root kit on my system.
As it turned out, I had to let him install their router because he
couldn't get mine to work (Zoom xv5)
I have a Mac OSX machine that has been assigned one of the initial
static ip's. It also has 2 interfaces
the inside interface connects to the same network the web server is on.
But I don't leave the Mac on
continuously. When the technician set up the router it was using DCHP
to assign the ip. I noticed it
change the host name as reflected in the bash shell command line
prompt. So as to their scruples I
can only hope that there isn't some proprietary gadget running on the
router that sniffs around on
remote provocation. This might serve as a heads up to anyone with a
similar situation.
JK
> --
> The idle mind knows not what it is it wants.
> -- Quintus Ennius
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list