Connexions internet incontrolées et spontanées

Support Debian
#1

Salut,

Sous squeeze depuis deux semaines, en sid entre septembre et janvier, impossible de me connecter en console tout à l’heure sur tty1, qui affichait à la suite les lignes suivantes, que je retrouve bien avant, par exemple:

Jan 9 13:12:08 michel dhclient: DHCPREQUEST on eth0 to 192.168.1.1 port 67 Jan 9 13:12:08 michel dhclient: send_packet: Operation not permitted Jan 9 13:12:08 michel kernel: [103718.318124] DROPPED IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308 Jan 9 13:12:24 michel dhclient: DHCPREQUEST on eth0 to 192.168.1.1 port 67

Je suis allé voir les journaux systèmes, et syslog est rempli de ces lignes.
Je ne connais rien à Iptables, j’ai guarddog d’installé, mais pas créé de règles particulières (à part sur certains protocoles, mais je ne sais plus lesquels). Le message continuait alors que j’avais désactivé iptables.

J’ai cherché sans trouver d’infos vraiment claires. Le message correspondrait à une demande de prolongation de bail pour mon ip, mais je ne vois pas pourquoi ça serait bloqué.

J’ai aussi les lignes suivantes qui se répètent, plusieurs fois par minute.

Le dernier m’inquiète particulièrement, car l’adresse ip (src=213.186.33.16), change régulièrement, et renvoie à différents sites, de la fnac à des sites vierges ou protégés. Quelqu’un aurait il une idée ?..

Stef

#2

Salut,
Donne la sortie de :

Les lignes qui remplissent ton tty n’empêchent pas de taper en console (mais c’est pas pratique…)
Ce sont des infos redirigées (vers les tty en non un fichier log)

#3

Salut,

Voici le résultat de iptables -L:

[code]Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – 192.168.1.2 192.168.1.255
logaborted tcp – anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere icmp destination-unreachable
ACCEPT icmp – anywhere anywhere icmp time-exceeded
ACCEPT icmp – anywhere anywhere icmp parameter-problem
nicfilt all – anywhere anywhere
srcfilt all – anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere icmp destination-unreachable
ACCEPT icmp – anywhere anywhere icmp time-exceeded
ACCEPT icmp – anywhere anywhere icmp parameter-problem
srcfilt all – anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere icmp destination-unreachable
ACCEPT icmp – anywhere anywhere icmp time-exceeded
ACCEPT icmp – anywhere anywhere icmp parameter-problem
s1 all – anywhere anywhere

Chain f0to1 (3 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:www state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:http-alt state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:8008 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:8000 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:8888 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:pop2 state NEW
ACCEPT udp – anywhere anywhere udp dpt:ntp
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:ntp state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:nntp state NEW
ACCEPT tcp – anywhere anywhere tcp dpt:printer state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:pop3s state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:8880 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:6969 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:imap2 state NEW
ACCEPT udp – anywhere anywhere udp dpt:imap2
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:whois state NEW
ACCEPT udp – anywhere anywhere udp dpt:43
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:hkp state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:ssmtp state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:8118 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:888 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:https state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:imaps state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:pop3 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:smtp state NEW
ACCEPT udp – anywhere anywhere udp spts:1024:65535 dpt:time
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpt:time state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
ACCEPT udp – anywhere anywhere udp dpts:6970:7170
logdrop all – anywhere anywhere

Chain f1to0 (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:www state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:http-alt state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:8008 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:8888 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:pop2 state NEW
ACCEPT udp – anywhere anywhere udp dpt:ntp
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:ntp state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:nntp state NEW
ACCEPT tcp – anywhere anywhere tcp dpt:printer state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:pop3s state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:8880 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:6969 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:imap2 state NEW
ACCEPT udp – anywhere anywhere udp dpt:imap2
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:mysql state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:whois state NEW
ACCEPT udp – anywhere anywhere udp dpt:43
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:hkp state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:auth state NEW
ACCEPT udp – anywhere anywhere udp dpt:113
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:ssmtp state NEW
ACCEPT tcp – anywhere anywhere tcp dpt:rtsp state NEW
ACCEPT tcp – anywhere anywhere tcp dpt:7070 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:8118 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:ftp state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:888 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:https state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:imaps state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:pop3 state NEW
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:smtp state NEW
ACCEPT tcp – anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp – anywhere anywhere udp dpt:domain
ACCEPT udp – anywhere anywhere udp spts:1024:5999 dpt:time
ACCEPT tcp – anywhere anywhere tcp spts:1024:5999 dpt:time state NEW
logdrop all – anywhere anywhere

Chain logaborted (1 references)
target prot opt source destination
logaborted2 all – anywhere anywhere limit: avg 1/sec burst 10
LOG all – anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ’

Chain logaborted2 (1 references)
target prot opt source destination
LOG all – anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED ’
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED

Chain logdrop (4 references)
target prot opt source destination
logdrop2 all – anywhere anywhere limit: avg 1/sec burst 10
LOG all – anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ’
DROP all – anywhere anywhere

Chain logdrop2 (1 references)
target prot opt source destination
LOG all – anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED ’
DROP all – anywhere anywhere

Chain logreject (0 references)
target prot opt source destination
logreject2 all – anywhere anywhere limit: avg 1/sec burst 10
LOG all – anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ’
REJECT tcp – anywhere anywhere reject-with tcp-reset
REJECT udp – anywhere anywhere reject-with icmp-port-unreachable
DROP all – anywhere anywhere

Chain logreject2 (1 references)
target prot opt source destination
LOG all – anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED ’
REJECT tcp – anywhere anywhere reject-with tcp-reset
REJECT udp – anywhere anywhere reject-with icmp-port-unreachable
DROP all – anywhere anywhere

Chain nicfilt (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
logdrop all – anywhere anywhere

Chain s0 (1 references)
target prot opt source destination
f0to1 all – anywhere 192.168.1.2
f0to1 all – anywhere 192.168.1.255
f0to1 all – anywhere localhost
logdrop all – anywhere anywhere

Chain s1 (1 references)
target prot opt source destination
f1to0 all – anywhere anywhere

Chain srcfilt (2 references)
target prot opt source destination
s0 all – anywhere anywhere[/code]

J’ai également été voir le config de mon routeur. J’avais ouvert un port (51413 en “serveur virtuel” sur 192.168.1.2) pour pouvoir utiliser Transmission (l’emule de linux [edit: je viens de boire un café, no comment…]). Je ne sais pas pourquoi j’avais fait cette connerie, puisque je n’avais jamais eu besoin de faire ça auparavant…Bref, je l’ai viré hier soir, et tout redémarré. Je n’ai plus les messages “DHCP request”, mais toujours des connections sur des ips dans syslog…Au démarrage, deux lignes à la fin (qui apparaissaient depuis quelque temps déjà je crois), mais qui polluaient tty1 hier:

[ 22.540355] eth0: no IPv6 routers present [ 23.468397] DROPPED IN= OUT=eth0 SRC=192.168.1.2 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF OPT (94040000) PROTO=2 [ 23.609482] DROPPED IN= OUT=eth0 SRC=192.168.1.2 DST=224.0.0.251 LEN=257 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=237

:017 !

Stef

#4

Re,

Je passe sur les détails, yahoo a été plus pertinent que Google pour la recherche. C’est un problème de niveaux de journalisation d’iptables.

Les messages en “aborted” correspondent à des déconnections de sites internet qui se déconnectent en envoyant un certain paquet (RST), qu’envoient aussi ceux qui tentent des scans de ports.

Plus d’infos là:
simonzone.com/software/guard … ngtab.html

Iptables, avec guarddog en tous cas, balance ses messages dans syslog. Pour les éviter, il faut décocher “journalisation des connections interrompues” dans guarddog. C’était ce qui m’inquiétait le plus.

Les messages en dhcprequest ont disparu avec la suppression du serveur virtuel dans mon routeur, semble t-il. Les messages en dropped, peuvent disparaître en modifiant le fichier /etc/sysctl.conf, dont une ligne concerne la journalisation de syslog, et en particulier l’apparition des messages dans la console de manière automatique:

# Uncomment the following to stop low-level messages on console kernel.printk = 4 4 1 7

Voir ici:
sortie-d-erreur-sur-la-console-root-etc-sysctl-conf-t19041.html

Je n’arrive pas tout à fait à un bon réglage: les messages n’arrivent plus tous seuls en console, mais apparaissent toujours dans dmesg. Mais ce n’est pas vraiment gênant.

Stef