the interesting part is that it only seems to be happening on his RHEL5 system and not on the other ones.
On Thu, Aug 7, 2014 at 11:48 AM, Tilghman Lesher <tilgh...@meg.abyt.es> wrote: > None of those packages would affect how packets are logged. At this > point, I'd do a tcpdump on the external interface on that particular > server, then pull up the dump in Wireshark. That should tell you > whether the packets are being rewritten incorrectly by the firewall or > if the server is simply doing something strange. You shouldn't have > to look any further than the IP header to verify the > source/destination address. > > On Thu, Aug 7, 2014 at 11:27 AM, Chris McQuistion > <cmcquist...@watkins.edu> wrote: > > Interesting thought. > > > > The firewall rules are the same for this server as all the other servers > and > > none of the other servers are showing this anomaly in their logs. > > > > I went ahead and deleted the rule, then recreated it, then tested again. > > Same results. > > > > The day that I started getting these weird entries was the first day that > > server was logged into from offsite and right after installing some yum > > updates. I looked through the Logwatch emails and these yum updates > > correspond to that same day. Any chance one of these could change the > way > > that this information is being logged? I can tail /var/log/secure and > watch > > it log the wrong IP address when I login from home. > > > > Packages Updated: > > nss-3.15.3-7.el5_10.i386 > > httpd-manual-2.2.3-87.el5_10.x86_64 > > 1:mod_ssl-2.2.3-87.el5_10.x86_64 > > nspr-4.10.6-1.el5_10.i386 > > nss-tools-3.15.3-7.el5_10.x86_64 > > firefox-24.7.0-1.el5_10.i386 > > nss-3.15.3-7.el5_10.x86_64 > > httpd-2.2.3-87.el5_10.x86_64 > > firefox-24.7.0-1.el5_10.x86_64 > > nspr-4.10.6-1.el5_10.x86_64 > > > > > > > > > > On Thu, Aug 7, 2014 at 10:42 AM, Tilghman Lesher <tilgh...@meg.abyt.es> > > wrote: > >> > >> On Wed, Aug 6, 2014 at 3:20 PM, Chris McQuistion > >> <cmcquist...@watkins.edu> wrote: > >> > This is a weird problem. > >> > > >> > I get the daily logwatch emails from our various servers and one of > the > >> > things that I eyeball on a regular basis is the "Users logging in > >> > through > >> > sshd". I like to make sure that I don't see any logins from IP > >> > addresses > >> > that I don't recognize (as well as failed login attempts.) > >> > > >> > We changed our firewall about a week and a half ago, over to Untangle. > >> > This > >> > has had no negative affect on any of the usual behavior except for one > >> > of > >> > our servers, a database server running RHEL 5.X (64 bit, fully up to > >> > date.) > >> > > >> > On this one system, I'm now seeing the following line in it's daily > >> > Logwatch > >> > email: > >> > > >> > 192.168.1.254 (firewall.watkins.edu): 2 times > >> > > >> > That IP address is the firewall, itself. The firewall is NOT actually > >> > logging into this server. My Linux box at home is logging in via SSH, > >> > every > >> > day, to run backups. In the past, and with every other server that I > >> > remotely backup via SSH, every day, the Logwatch email reflects the IP > >> > address of my cable modem at home. > >> > > >> > In this one case, this server shows 192.168.1.254 (the firewall) as > the > >> > source IP address instead of the "real" source IP address. > >> > > >> > Port forwarding to this server is set up exactly the same way as all > the > >> > other servers. The backup program I'm running at home (dirvish) > >> > connects to > >> > this server, just like the other servers. > >> > > >> > The only variable that has changed is the firewall and possibly some > >> > recently-run yum updates. The only unique thing about this server, is > >> > that > >> > it is our only RHEL 5 server. We also have a RHEL 6 server and > several > >> > CentOS 5/6 servers. > >> > > >> > Any ideas? > >> > >> I suspect a difference in how your firewall is set up to forward those > >> packets. I'd look at the underlying iptables commands, not the > >> frontend information. It sounds like the firewall is rewriting the > >> source address on those packets. > >> > >> -- > >> Tilghman > >> > >> -- > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "NLUG" group. > >> To post to this group, send email to nlug-talk@googlegroups.com > >> To unsubscribe from this group, send email to > >> nlug-talk+unsubscr...@googlegroups.com > >> For more options, visit this group at > >> http://groups.google.com/group/nlug-talk?hl=en > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "NLUG" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to nlug-talk+unsubscr...@googlegroups.com. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > -- > > You received this message because you are subscribed to the Google Groups > > "NLUG" group. > > To post to this group, send email to nlug-talk@googlegroups.com > > To unsubscribe from this group, send email to > > nlug-talk+unsubscr...@googlegroups.com > > For more options, visit this group at > > http://groups.google.com/group/nlug-talk?hl=en > > > > --- > > You received this message because you are subscribed to the Google Groups > > "NLUG" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to nlug-talk+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Tilghman > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to nlug-talk@googlegroups.com > To unsubscribe from this group, send email to > nlug-talk+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to nlug-talk+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.