Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 12 Oct 2014 18:04:48 +0100
From:      Arthur Chance <freebsd@qeng-ho.org>
To:        "William A. Mahaffey III" <wam@hiwaay.net>, "FreeBSD Questions !!!!" <freebsd-questions@freebsd.org>
Subject:   Re: syslog output ....
Message-ID:  <543AB4B0.90501@qeng-ho.org>
In-Reply-To: <543A9A81.5080403@hiwaay.net>
References:  <543A9A81.5080403@hiwaay.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 12/10/2014 16:13, William A. Mahaffey III wrote:
>
>
> .... I did a 'pkg upgrade a few days ago (Oct 8). Since then I have been
> seeing messages like the following in my /var/log/messages file:
>
>
>
> Oct 12 09:08:13 kabini1 kernel: TCP: [192.168.0.9]:43713 to
> [192.168.0.27]:1839 tcpflags 0x2<SYN>; tcp_input: Connection attempt to
> closed port
[Lots snipped]

>
> I did an nmap of this machine this A.M., right about 9:08, from
> 192.168.0.9, so I think that's what prompted the output. I have done
> that nmap in the past, w/ no such output in my messages file. What
> changed so that I am now seeing it ? How can I trim it down such that it
> ignores other boxen on my LAN ? Before the nmap, I had:
>

Didn't we recently discuss turning on net.inet.tcp.log_in_vain? That's 
the sort of output you get, and nmap will trigger it when hitting unopen 
ports. The log_in_vain sysctls are all or nothing, AFAIK you can't tell 
them to ignore some hosts/networks. Either don't nmap scan the machine 
or turn off the logging during the scan if you don't want to see it.

>
> Oct  9 03:03:05 kabini1 kernel: TCP: [127.0.0.1]:33651 to
> [127.0.0.1]:113 tcpflags 0x2<SYN>; tcp_input: Connection attempt to
> closed port
[More snipped]

That's the sort of thing I see on my machine. Port 113 is the ident (aka 
auth) service. As the addresses are all 127.0.0.1 your machine is asking 
itself to identify who is responsible for network connections to itself! 
If you can't work out what is causing it (I never could, but didn't try 
very hard) you can shut it up by actually running an auth service. 
Depending on what you feel like, either enable inetd and uncomment one 
of the built in auth entries in /etc/inetd.conf, or install one of 
net/hidentd (also needs inetd), net/widentd, security/fakeident, 
security/oidentd or security/pidentd. That way port 113 will be 
listening and responding.

>
> apparently from cron jobs I have scheduled @ ~3:00 A.M. & ~4:00 A.M. on
> the local machine, i.e. it squawks about stuff from both other LAN boxen
> & from onboard jobs .... The output from the nmap is obviously
> voluminous & washes other output out of quick view (tail -50
> /var/log/messages). The other output will get annoying, since it is
> harmless. I would like to hear from other machines not on my LAN,
> however. Any advice appreciated. TIA ....





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?543AB4B0.90501>