martian source 255.255.255.255 from 10.64.39.106, on dev eth0

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by baholeok » Sat, 11 Mar 2006 05:29:54



Hello all

So as in the topic in my /var/log/messeges i heve a lot of things like
this one
----------------------------------
  martian source 255.255.255.255 from 10.64.39.106, on dev eth0
----------------------------------

Im using Mandrake 10, witn 2 network cards. eth0 (provider) and eth1
(my local nework ) . Eth0 is conected to my service provider, and i
have my own public ip.

I have  readed lot of post but none of them explaining what is the real
problem of this " martian source 255.255.255.255" . From time to time
my eth0 goes down and I suspected that this information about maritian
is a problem and i dont know how to stop it. On mandrake im runing my
proftpd dhcpd ssh and apache and vnc.

Any advice

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Eric Teube » Sat, 11 Mar 2006 05:46:31



> Hello all

> So as in the topic in my /var/log/messeges i heve a lot of things like
> this one
> ----------------------------------
>   martian source 255.255.255.255 from 10.64.39.106, on dev eth0
> ----------------------------------

> Im using Mandrake 10, witn 2 network cards. eth0 (provider) and eth1
> (my local nework ) . Eth0 is conected to my service provider, and i
> have my own public ip.

> I have  readed lot of post but none of them explaining what is the real
> problem of this " martian source 255.255.255.255" . From time to time
> my eth0 goes down and I suspected that this information about maritian
> is a problem and i dont know how to stop it. On mandrake im runing my
> proftpd dhcpd ssh and apache and vnc.

martian sources are mostly fake ip addresses pretending an internal
source. However it should not be unrecognized.

Since 10.0.0.0 is a private network, make sure all traffic from these
network coming from outside is blocked by your firewall.

Afterwards, you can ignore these messages.

Eric

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Peter Lowri » Sat, 11 Mar 2006 19:47:23


Quote:> martian sources are mostly fake ip addresses pretending an internal
> source. However it should not be unrecognized.

What a load of drivel. Do this...

echo "0" >/proc/sys/net/ipv4/conf/DEV/log_martians

--
Regards,
Peter.
http://www.pelicom.net.nz

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Eric Teube » Sun, 12 Mar 2006 00:11:48



>> martian sources are mostly fake ip addresses pretending an internal
>> source. However it should not be unrecognized.

> What a load of drivel. Do this...

> echo "0" >/proc/sys/net/ipv4/conf/DEV/log_martians

This will just turn off the messages, but it will not solve the cause!

Eric

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Eric Teube » Sun, 12 Mar 2006 08:20:08



> What a load of drivel. Do this...

I hate replying to people who write bullshit and need more experience
but Peter you should put a rm /var/log/messages into your crontab!

Then you will be the most free and secure man in the world.

Eric

--
for mails replace NOSPAM.com by w e b . d e

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Eric Teube » Sun, 12 Mar 2006 08:59:11




>>> martian sources are mostly fake ip addresses pretending an internal
>>> source. However it should not be unrecognized.
>> What a load of drivel. Do this...

>> echo "0" >/proc/sys/net/ipv4/conf/DEV/log_martians

> This will just turn off the messages, but it will not solve the cause!

what do i say, Peter knows how to handle such things. Let's see what he
is suggesting besides suppressing log messages.

Eric

--
replace NOSPAM.com by w e b . d e

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by baholeok » Sun, 12 Mar 2006 20:24:54


Quote:>Since 10.0.0.0 is a private network, make sure all traffic from these
>network coming from outside is blocked by your firewall.

in my network eth1 there is only 192.168.... and so on.
between my provider and my server ther is 10.0.0....  and my server
have public ip (redirection is on the provider's server)
so how a shoud block it

Quote:>Afterwards, you can ignore these messages.

I can in this situation?

What else i can give to you readers to see what the problem is, im not
so good in linux, so except messeges from /var/log where i can check
why my interface gone down from time to time? . And again what about
maritian, i can ignore it?

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Bit Twiste » Sun, 12 Mar 2006 22:52:42



Quote:> in my network eth1 there is only 192.168.... and so on.
> between my provider and my server ther is 10.0.0....  and my server
> have public ip (redirection is on the provider's server)
> so how a shoud block it

You can block using entries in /etc/shorewall/rules or in
/etc/shorewall/blacklist, and other places using files in
/etc/shorewall.

You can look at the shorewall documentation.

Click up a terminal
locate shorewall | grep /doc | grep index
and cut/paste something like
/usr/share/doc/shorewall-doc-2.4.1/index.html
into your browser.

Quote:>>Afterwards, you can ignore these messages.

> I can in this situation?

Yes.

Quote:> And again what about maritian, i can ignore it?

Yes, You can block shorewall messages by creating an entry in your
/etc/shorewall/blacklist.

you can use just ip address, port number, ranges......

I'll guess 10.64.39.106 is your provider's modem for your lan.
Try it, put
10.64.39.106
in /etc/shorewall/blacklist, and to load the blacklist, do a
shorewall refresh

Verify your network still works,
service network restart

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Eric Teube » Wed, 15 Mar 2006 07:18:01



>> Since 10.0.0.0 is a private network, make sure all traffic from these
>> network coming from outside is blocked by your firewall.

> in my network eth1 there is only 192.168.... and so on.
> between my provider and my server ther is 10.0.0....  and my server
> have public ip (redirection is on the provider's server)
> so how a shoud block it

eth1 is not of interest here.

Quote:

>> Afterwards, you can ignore these messages.

> I can in this situation?

> What else i can give to you readers to see what the problem is, im not
> so good in linux, so except messeges from /var/log where i can check
> why my interface gone down from time to time? . And again what about
> maritian, i can ignore it?

It is quite complex to figure out, where the fake's come from. So,
actually what you can do is blocking the 10.0.0.0 network on your eth0
device. As i said, afterwards you can ignore martians.

The matter of your interface going down, you need to explain a little
closer! When does it happen? It might be a problem with your router,
provider, your firewall box or whatever.

If you experience it again, provide as much information as you can, such
as last entries of /var/log/messages or the device logfile.

Eric

--
replace NOSPAM.com by w e b . d e

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Peter Lowri » Wed, 15 Mar 2006 22:24:37




>> What a load of drivel. Do this...

> I hate replying to people who write bullshit and need more experience
> but Peter you should put a rm /var/log/messages into your crontab!

Hate's a bit of a strong term isn't it?

Quote:> Then you will be the most free and secure man in the world.

> Eric

1st thing. You are not under attack. There's no need to DROP martian IP's
becuase you'll spend the rest of your life just blocking them...There's
nothing to block. Martians are simply DNS relics. As an example do a
tcpdump -i eth0 and have alook at all the "who has, tell..." strings with
IP numbers from here to kingdom-come.

As for your ideas relating to messages, I detect a hint of sarcasm.
Your /var/log dir is going to fill up over time with messages.etc.foo.gz
files as they rollover. It's the old gz files you'd crontab.

As to security. I think shorewall is a jerk-off and iptables is far better.
Before iptabes was chains. Since 1992, when I started using linux, no-one
has hacked through ssh, I've had no viruses, trojans, rootkits but it
doesn't stop persistent hack attempts - especially from Korean
universities. I only block the worst of them...

-A INPUT -s 123.123.123.123/255.255.255.255 -j DROP

for example. Obviously for internet facing connections strong passwords are
a must.

Hope this helps.

--
Regards,
Peter.
http://www.pelicom.net.nz

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Eric Teube » Thu, 16 Mar 2006 04:05:00





>>> What a load of drivel. Do this...
>> I hate replying to people who write bullshit and need more experience
>> but Peter you should put a rm /var/log/messages into your crontab!

> Hate's a bit of a strong term isn't it?

>> Then you will be the most free and secure man in the world.

>> Eric

At first, sorry Peter for the rude reply.

Quote:> 1st thing. You are not under attack. There's no need to DROP martian IP's
> becuase you'll spend the rest of your life just blocking them...There's
> nothing to block. Martians are simply DNS relics. As an example do a
> tcpdump -i eth0 and have alook at all the "who has, tell..." strings with
> IP numbers from here to kingdom-come.

Yes, there is a lot "who has, tell..." stuff in the tcpdump output, but
what does it have to do with the martians? These are normal DNS packets.
Also, the "martian" packets and the related messages in the log are not
permanent or even frequent.

AFAIK martian sources are only logged, if there is a packet with an ip
belonging to private networks received at the external interface. So an
obvious step could be blocking private networks on the public interface.
Afterwards the log messages either could be ignored ore turned off as
you suggested.

A while ago, i was facing this problem and the reason has been misrouted
packages by the provider. After letting them know, the problem was gone.
Also a spoofed packet could be the cause of a martian (if i am not
totally wrong).

Quote:> As to security. I think shorewall is a jerk-off and iptables is far better.
> Before iptabes was chains. Since 1992, when I started using linux, no-one
> has hacked through ssh, I've had no viruses, trojans, rootkits but it
> doesn't stop persistent hack attempts - especially from Korean
> universities. I only block the worst of them...

> -A INPUT -s 123.123.123.123/255.255.255.255 -j DROP

I am also using iptables and have the same experiences as you.

Eric

--
replace NOSPAM.com by w e b . d e

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Peter Lowri » Mon, 20 Mar 2006 21:10:08


Hey Eric

I just found another way to block those martians.

Have a look at /etc/sysctl.conf

You'll see the string involved, change it!

--
Regards,
Peter.
http://www.pelicom.net.nz

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Eric Teube » Wed, 22 Mar 2006 07:26:40



> Hey Eric

> I just found another way to block those martians.

> Have a look at /etc/sysctl.conf

> You'll see the string involved, change it!

Hi Peter,

Thanks for the hint, but i don't know what you are talking about.

The /etc/sysctl.conf does not contain anything regarding martians (i am
running SuSE 9.3).

What entry did you find?

Eric

--
replace NOSPAM.com by w e b . d e

 
 
 

martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Post by Fish Printer » Wed, 22 Mar 2006 16:19:43


hi i just want to link a machine running linux Ubuntu on my network using a
4port broadband router and and also need to know how to create a dialup on
the linux machine please help

success



> > Hey Eric

> > I just found another way to block those martians.

> > Have a look at /etc/sysctl.conf

> > You'll see the string involved, change it!

> Hi Peter,

> Thanks for the hint, but i don't know what you are talking about.

> The /etc/sysctl.conf does not contain anything regarding martians (i am
> running SuSE 9.3).

> What entry did you find?

> Eric

> --
> replace NOSPAM.com by w e b . d e