Re: [SLUG] NIS problem - non-existent map
Nigel Allen wrote: Hi Running Centos 4 with one machine as YP server (ypserv 2.8) and one as a yp client. In the messages log of the server I constantly see messages like this: Aug 12 12:28:46 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:29:14 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:29:22 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:30:13 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) sydsrv56 is the client btw. How can I find what program is trying to access the shadow.byname map? I suspect (from the frequency) that it dovecot may be the culprit The server does not have that map and on the client there is no mention of shadow in the nsswitch.conf - all commented out. Any clues please? touch the file shadow.byname and use lsof + grep in a loop in a shell script? -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Post scanning inside NAT
Hi sluggers, I thought I understood the mechanics of NAT. My modem blocks all incoming requests to my 192.168.0.* internal network, save a few port forwards, i.e. about five ports are open. During an idle period today I noticed annoying but consistent traffic of about 100 bytes/sec. Why? tcpdump reveals that my local machine on 192.168.0.27 is responding to what seems to be a port scan from Germany (62.67.50.112) ... 17:20:28.677718 IP 192.168.0.27.52262 62.67.50.112.80: . ack 1 win 65535 nop,nop,timestamp 1078011251 3938531074 17:20:28.677842 IP 192.168.0.27.52262 62.67.50.112.80: P 1:607(606) ack 1 win 65535 nop,nop,timestamp 1078011251 3938531074 17:20:29.045173 IP 62.67.50.112.80 192.168.0.27.52262: . ack 607 win 55 nop,nop,timestamp 3938531166 1078011251 17:20:29.055137 IP 62.67.50.112.80 192.168.0.27.52262: P 1:306(305) ack 607 win 55 nop,nop,timestamp 3938531167 1078011251 Their egress port is always 80 (suspicious in itself) and my ingress port is climbing through all numbers, serially. My possible misunderstanding of NAT is that my local machine on .27 should not even be seeing this traffic since it *should* be blocked at the modem/router. Is it me or is it the modem that is wrong? cheers rickw -- _ Rick Welykochy || Praxis Services Beware of he who would deny you information, for in his mind he dreams of being your master. -- message on a computer game -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Post scanning inside NAT
To me that looks like web traffic, first two http-gets going out then the response. Do a packet capture and we will see. Do you have any toolbars that get updates (weather plugin, time sync, rss), or some automated update tool? On Wed, Aug 12, 2009 at 5:23 PM, Rick Welykochy r...@praxis.com.au wrote: Hi sluggers, I thought I understood the mechanics of NAT. My modem blocks all incoming requests to my 192.168.0.* internal network, save a few port forwards, i.e. about five ports are open. During an idle period today I noticed annoying but consistent traffic of about 100 bytes/sec. Why? tcpdump reveals that my local machine on 192.168.0.27 is responding to what seems to be a port scan from Germany (62.67.50.112) ... 17:20:28.677718 IP 192.168.0.27.52262 62.67.50.112.80: . ack 1 win 65535 nop,nop,timestamp 1078011251 3938531074 17:20:28.677842 IP 192.168.0.27.52262 62.67.50.112.80: P 1:607(606) ack 1 win 65535 nop,nop,timestamp 1078011251 3938531074 17:20:29.045173 IP 62.67.50.112.80 192.168.0.27.52262: . ack 607 win 55 nop,nop,timestamp 3938531166 1078011251 17:20:29.055137 IP 62.67.50.112.80 192.168.0.27.52262: P 1:306(305) ack 607 win 55 nop,nop,timestamp 3938531167 1078011251 Their egress port is always 80 (suspicious in itself) and my ingress port is climbing through all numbers, serially. My possible misunderstanding of NAT is that my local machine on .27 should not even be seeing this traffic since it *should* be blocked at the modem/router. Is it me or is it the modem that is wrong? cheers rickw -- _ Rick Welykochy || Praxis Services Beware of he who would deny you information, for in his mind he dreams of being your master. -- message on a computer game -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Post scanning inside NAT
Zhasper wrote: Visiting http://62.67.50.112/ http://62.67.50.112/ gives me a Rapidshare.com page. Does your modem, or the machine in question, let you run tcpdump/ngrep/some other packet inspection thingy to have a look in more detail inside the packets? Also, there's nothing in what you posted to suggest that the internal machine was responding to the external machine - the port numbers suggest that it was the internal machine that initiated the connection. If you could catch the three-way handshake at the start of the connection (syn/syn-ack/ack), we could tell for sure which was opening the connection. Further investigation proves you are correct. For some reason, this machine was initiating a connection to 62.67.50.112 on port 80 every couple of seconds. I played with tcpdump some more and found that even something as innocuous as grabbing Java docs from Sun resulted in an annoying flurry of repeated (reload page?) activity from ad servers and the like. NAT is vindicated and I was at fault, interpreting the tcpdump as an incoming scan. I've rebooted to see what the traffic is like (the machine had been up for weeks). And now there is only local traffic for WiFi discovery and a bit of SMB crap. I think I'll leave tcpdump alone otherwise I'll go mad. It goes to show that there is a lot of traffic occurring that one is not even aware of. thanks, rickw -- _ Rick Welykochy || Praxis Services Beware of he who would deny you information, for in his mind he dreams of being your master. -- message on a computer game -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Post scanning inside NAT
Morgan Storey wrote: To me that looks like web traffic, first two http-gets going out then the response. Do a packet capture and we will see. Do you have any toolbars that get updates (weather plugin, time sync, rss), or some automated update tool? Thanks for your reply. As I noted in my previous response, the machine had been up for weeks, and browsers for days. Who knows what stray gremlins lay in wait. After a reboot, all is clear. cheers rickw -- _ Rick Welykochy || Praxis Services Beware of he who would deny you information, for in his mind he dreams of being your master. -- message on a computer game -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] NIS problem - non-existent map
Hi Nigel, Add this line to the /etc/nsswitch.conf file in the client: shadow:files [NOTFOUND=return] The client will only look at the local shadow file, if the entry is not there, it will stop searching for it. Rodolfo Martínez On Wed, Aug 12, 2009 at 2:22 AM, Sonia Hamiltonso...@snowfrog.net wrote: Nigel Allen wrote: Hi Running Centos 4 with one machine as YP server (ypserv 2.8) and one as a yp client. In the messages log of the server I constantly see messages like this: Aug 12 12:28:46 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:29:14 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:29:22 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:30:13 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) sydsrv56 is the client btw. How can I find what program is trying to access the shadow.byname map? I suspect (from the frequency) that it dovecot may be the culprit The server does not have that map and on the client there is no mention of shadow in the nsswitch.conf - all commented out. Any clues please? touch the file shadow.byname and use lsof + grep in a loop in a shell script? -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Post scanning inside NAT
Visiting http://62.67.50.112/ gives me a Rapidshare.com page. Does your modem, or the machine in question, let you run tcpdump/ngrep/some other packet inspection thingy to have a look in more detail inside the packets? Also, there's nothing in what you posted to suggest that the internal machine was responding to the external machine - the port numbers suggest that it was the internal machine that initiated the connection. If you could catch the three-way handshake at the start of the connection (syn/syn-ack/ack), we could tell for sure which was opening the connection. On Wed, Aug 12, 2009 at 5:23 PM, Rick Welykochy r...@praxis.com.au wrote: Hi sluggers, I thought I understood the mechanics of NAT. My modem blocks all incoming requests to my 192.168.0.* internal network, save a few port forwards, i.e. about five ports are open. During an idle period today I noticed annoying but consistent traffic of about 100 bytes/sec. Why? tcpdump reveals that my local machine on 192.168.0.27 is responding to what seems to be a port scan from Germany (62.67.50.112) ... 17:20:28.677718 IP 192.168.0.27.52262 62.67.50.112.80: . ack 1 win 65535 nop,nop,timestamp 1078011251 3938531074 17:20:28.677842 IP 192.168.0.27.52262 62.67.50.112.80: P 1:607(606) ack 1 win 65535 nop,nop,timestamp 1078011251 3938531074 17:20:29.045173 IP 62.67.50.112.80 192.168.0.27.52262: . ack 607 win 55 nop,nop,timestamp 3938531166 1078011251 17:20:29.055137 IP 62.67.50.112.80 192.168.0.27.52262: P 1:306(305) ack 607 win 55 nop,nop,timestamp 3938531167 1078011251 Their egress port is always 80 (suspicious in itself) and my ingress port is climbing through all numbers, serially. My possible misunderstanding of NAT is that my local machine on .27 should not even be seeing this traffic since it *should* be blocked at the modem/router. Is it me or is it the modem that is wrong? cheers rickw -- _ Rick Welykochy || Praxis Services Beware of he who would deny you information, for in his mind he dreams of being your master. -- message on a computer game -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] NIS problem - non-existent map
Sonia Hamilton wrote: Nigel Allen wrote: Hi Running Centos 4 with one machine as YP server (ypserv 2.8) and one as a yp client. In the messages log of the server I constantly see messages like this: Aug 12 12:28:46 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:29:14 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:29:22 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:30:13 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) sydsrv56 is the client btw. How can I find what program is trying to access the shadow.byname map? I suspect (from the frequency) that it dovecot may be the culprit The server does not have that map and on the client there is no mention of shadow in the nsswitch.conf - all commented out. Any clues please? touch the file shadow.byname and use lsof + grep in a loop in a shell script? I'm not sure that that would help. The client is asking for the map from the server (despite not being told to). If I create the file on the client I don't think that will make any difference. Appreciate the suggestion though. N/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] NIS problem - non-existent map
Rodolfo Martínez wrote: Hi Nigel, Add this line to the /etc/nsswitch.conf file in the client: shadow:files [NOTFOUND=return] The client will only look at the local shadow file, if the entry is not there, it will stop searching for it. Tried this. Changed the file on the client, restarted the ypbind process on the client - even restarted ALL of the yp programs on the server. Did not make a single difference :( Here is the nsswitch.conf: [r...@sydsrv56 etc]# cat nsswitch.conf passwd: files nis shadow: files [NOTFOUND=return] group: files nis hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files nis publickey: nisplus automount: files aliases:files and here is an example of the error messages: Aug 13 09:57:07 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38711 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 09:59:09 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38711 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 09:59:36 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38711 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:00:01 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38711 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:00:12 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38712 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:01:24 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38712 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:01:50 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38712 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:02:00 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38712 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:02:15 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38712 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:02:32 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38712 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:02:41 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38712 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:03:46 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38712 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:04:14 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38712 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 13 10:04:43 sydsrv12 ypserv[27083]: refused connect from 192.168.0.56:38712 to procedure ypproc_match (jgc,shadow.byname;-1) This is getting Curiouser and Curiouser. Nigel. Rodolfo Martínez On Wed, Aug 12, 2009 at 2:22 AM, Sonia Hamiltonso...@snowfrog.net wrote: Nigel Allen wrote: Hi Running Centos 4 with one machine as YP server (ypserv 2.8) and one as a yp client. In the messages log of the server I constantly see messages like this: Aug 12 12:28:46 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:29:14 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:29:22 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) Aug 12 12:30:13 sydsrv12 ypserv[20413]: refused connect from 192.168.0.56:38230 to procedure ypproc_match (jgc,shadow.byname;-1) sydsrv56 is the client btw. How can I find what program is trying to access the shadow.byname map? I suspect (from the frequency) that it dovecot may be the culprit The server does not have that map and on the client there is no mention of shadow in the nsswitch.conf - all commented out. Any clues please? touch the file shadow.byname and use lsof + grep in a loop in a shell script? -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Sound system details
Hi, I have just set up a lenny system on old box and am having trouble getting audio up. It is a while since I have done this, but could someone suggest how to find out details of the sound card ? Regards, Adam Bogacki, a...@paradise.net.nz -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Sound system details
Pci or ISA? Lspci will list pci devices and give you a starting point. Dean On 13/08/2009, at 10:29 AM, Adam Bogacki a...@paradise.net.nz wrote: Hi, I have just set up a lenny system on old box and am having trouble getting audio up. It is a while since I have done this, but could someone suggest how to find out details of the sound card ? Regards, Adam Bogacki, a...@paradise.net.nz -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] LinkedIn email ..
Apologies. Following a message posted to my rarely used LinkedIn account I inadvertently activated a request sent to 78 email adresses stored on various servers asking recipients to join my professional network .. among them SLUG. Having researched functions of social networks, I freely acknowledge the potential utility of sites such as LinkedIn, but would point out that my social and professional networks are not limited by any one technology. Sorry to hog your bandwidth. Adam Bogacki, a...@paradise.net.nz -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Sound system details
On Thu, Aug 13, 2009 at 10:29:29AM EST, Adam Bogacki wrote: Hi, I have just set up a lenny system on old box and am having trouble getting audio up. It is a while since I have done this, but could someone suggest how to find out details of the sound card ? If you want all the information regarding sound on your system, I suggest downloading http://www.alsa-project.org/alsa-info.sh and running it. It will give you everything from the alsa version, to what cards are in your system, mixer levels, etc. Hope this helps Luke -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
