On Apr 20, 2006, at 7:50 PM, Kevin Kinsey wrote:
jekillen wrote:
Hello;
I have a question about a disconcerting event relayed to me from my
kernel.
there are eight entries regarding network interface status:
rl0 link changed to DOWN
" " " UP
" " " DOWN
" " " UP
sis0 promiscuous mode enabled
" " disabled
" " enabled
" " disabled
The disconcerting entries are re sis0 promiscuous mode enabled.
Is the kernel trying to eaves drop on someone?
Not without assistance, most likely ;-).
One link is to the inside network and the other is to static ip
address
that is assigned but as yet has not been configured on the router to
receive requests from outside.
I admit, I am learning at this point. I've been watching the router
security log and
have seen just in the last week (as long as it has had the static
ip's assigned)
several hundred broadcast amplification attempts blocked.
And I have been reading my root mail and am now interested in a
tutorial or
some published specifics about how to interpret these messages.
I'm running v6 release on AMD64. I'm setting up to host a web site.
thanks in advance.
JK
PS in the mean time I will be going through what I have already.
Generally, "promiscuous mode" is pretty much what you
have guessed ... used in network analysis. Software such
as bpf(4), and higher level apps such as netgraph, tcpdump,
ethereal, etc. use "promiscuous mode" to grab network traffic.
So, the first thing you ask yourself is, have I (or anyone allowed
to be "root") used any of this type of software?
There might be other explanations, but I'm not suitably
prepared to address them.
Kevin Kinsey
There are 2 factors that bear directly on this situation:
I am the only one who uses these machines on the inside network.
I have not been able to get into the web site from out side (so I
presume no one else can either)
For this reason it appears that the kernel may be doing security audits
based on, possibly,
suspicious events. But sis0 is the inside network interface. If I read
the time correctly, I.E.
03 being 3 o'clock in the morning, this machine is the only one beside
the router and a n.a.s device
that are running. And this is the first time in the eight weeks total
that this machine has been operational,
that I have seen this message. Could the phone co be 'phishing' around?
(SBC). Anyhow that's why
I questioned the phone co's $250 installation charge, I told them I
know how to set up the network and
DNS stuff and was concerned about the possibility of a technician
putting a root kit on my system.
As it turned out, I had to let him install their router because he
couldn't get mine to work (Zoom xv5)
I have a Mac OSX machine that has been assigned one of the initial
static ip's. It also has 2 interfaces
the inside interface connects to the same network the web server is on.
But I don't leave the Mac on
continuously. When the technician set up the router it was using DCHP
to assign the ip. I noticed it
change the host name as reflected in the bash shell command line
prompt. So as to their scruples I
can only hope that there isn't some proprietary gadget running on the
router that sniffs around on
remote provocation. This might serve as a heads up to anyone with a
similar situation.
JK
--
The idle mind knows not what it is it wants.
-- Quintus Ennius
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
