From owner-freebsd-questions@FreeBSD.ORG Sun Oct 12 17:05:00 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3E78B543 for ; Sun, 12 Oct 2014 17:05:00 +0000 (UTC) Received: from blue.qeng-ho.org (blue.qeng-ho.org [217.155.128.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AE5F0E17 for ; Sun, 12 Oct 2014 17:04:59 +0000 (UTC) Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2]) by fileserver.home.qeng-ho.org (8.14.7/8.14.5) with ESMTP id s9CH4mD7093010; Sun, 12 Oct 2014 18:04:49 +0100 (BST) (envelope-from freebsd@qeng-ho.org) Message-ID: <543AB4B0.90501@qeng-ho.org> Date: Sun, 12 Oct 2014 18:04:48 +0100 From: Arthur Chance User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: "William A. Mahaffey III" , "FreeBSD Questions !!!!" Subject: Re: syslog output .... References: <543A9A81.5080403@hiwaay.net> In-Reply-To: <543A9A81.5080403@hiwaay.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Oct 2014 17:05:00 -0000 On 12/10/2014 16:13, William A. Mahaffey III wrote: > > > .... I did a 'pkg upgrade a few days ago (Oct 8). Since then I have been > seeing messages like the following in my /var/log/messages file: > > > > Oct 12 09:08:13 kabini1 kernel: TCP: [192.168.0.9]:43713 to > [192.168.0.27]:1839 tcpflags 0x2; tcp_input: Connection attempt to > closed port [Lots snipped] > > I did an nmap of this machine this A.M., right about 9:08, from > 192.168.0.9, so I think that's what prompted the output. I have done > that nmap in the past, w/ no such output in my messages file. What > changed so that I am now seeing it ? How can I trim it down such that it > ignores other boxen on my LAN ? Before the nmap, I had: > Didn't we recently discuss turning on net.inet.tcp.log_in_vain? That's the sort of output you get, and nmap will trigger it when hitting unopen ports. The log_in_vain sysctls are all or nothing, AFAIK you can't tell them to ignore some hosts/networks. Either don't nmap scan the machine or turn off the logging during the scan if you don't want to see it. > > Oct 9 03:03:05 kabini1 kernel: TCP: [127.0.0.1]:33651 to > [127.0.0.1]:113 tcpflags 0x2; tcp_input: Connection attempt to > closed port [More snipped] That's the sort of thing I see on my machine. Port 113 is the ident (aka auth) service. As the addresses are all 127.0.0.1 your machine is asking itself to identify who is responsible for network connections to itself! If you can't work out what is causing it (I never could, but didn't try very hard) you can shut it up by actually running an auth service. Depending on what you feel like, either enable inetd and uncomment one of the built in auth entries in /etc/inetd.conf, or install one of net/hidentd (also needs inetd), net/widentd, security/fakeident, security/oidentd or security/pidentd. That way port 113 will be listening and responding. > > apparently from cron jobs I have scheduled @ ~3:00 A.M. & ~4:00 A.M. on > the local machine, i.e. it squawks about stuff from both other LAN boxen > & from onboard jobs .... The output from the nmap is obviously > voluminous & washes other output out of quick view (tail -50 > /var/log/messages). The other output will get annoying, since it is > harmless. I would like to hear from other machines not on my LAN, > however. Any advice appreciated. TIA ....