Interesting thought.
The firewall rules are the same for this server as all the other servers
and none of the other servers are showing this anomaly in their logs.
I went ahead and deleted the rule, then recreated it, then tested again.
Same results.
The day that I started getting these weird entries was the first day that
server was logged into from offsite and right after installing some yum
updates. I looked through the Logwatch emails and these yum updates
correspond to that same day. Any chance one of these could change the way
that this information is being logged? I can tail /var/log/secure and
watch it log the wrong IP address when I login from home.
Packages Updated:
nss-3.15.3-7.el5_10.i386
httpd-manual-2.2.3-87.el5_10.x86_64
1:mod_ssl-2.2.3-87.el5_10.x86_64
nspr-4.10.6-1.el5_10.i386
nss-tools-3.15.3-7.el5_10.x86_64
firefox-24.7.0-1.el5_10.i386
nss-3.15.3-7.el5_10.x86_64
httpd-2.2.3-87.el5_10.x86_64
firefox-24.7.0-1.el5_10.x86_64
nspr-4.10.6-1.el5_10.x86_64
On Thu, Aug 7, 2014 at 10:42 AM, Tilghman Lesher <[email protected]>
wrote:
> On Wed, Aug 6, 2014 at 3:20 PM, Chris McQuistion
> <[email protected]> wrote:
> > This is a weird problem.
> >
> > I get the daily logwatch emails from our various servers and one of the
> > things that I eyeball on a regular basis is the "Users logging in through
> > sshd". I like to make sure that I don't see any logins from IP addresses
> > that I don't recognize (as well as failed login attempts.)
> >
> > We changed our firewall about a week and a half ago, over to Untangle.
> This
> > has had no negative affect on any of the usual behavior except for one of
> > our servers, a database server running RHEL 5.X (64 bit, fully up to
> date.)
> >
> > On this one system, I'm now seeing the following line in it's daily
> Logwatch
> > email:
> >
> > 192.168.1.254 (firewall.watkins.edu): 2 times
> >
> > That IP address is the firewall, itself. The firewall is NOT actually
> > logging into this server. My Linux box at home is logging in via SSH,
> every
> > day, to run backups. In the past, and with every other server that I
> > remotely backup via SSH, every day, the Logwatch email reflects the IP
> > address of my cable modem at home.
> >
> > In this one case, this server shows 192.168.1.254 (the firewall) as the
> > source IP address instead of the "real" source IP address.
> >
> > Port forwarding to this server is set up exactly the same way as all the
> > other servers. The backup program I'm running at home (dirvish)
> connects to
> > this server, just like the other servers.
> >
> > The only variable that has changed is the firewall and possibly some
> > recently-run yum updates. The only unique thing about this server, is
> that
> > it is our only RHEL 5 server. We also have a RHEL 6 server and several
> > CentOS 5/6 servers.
> >
> > Any ideas?
>
> I suspect a difference in how your firewall is set up to forward those
> packets. I'd look at the underlying iptables commands, not the
> frontend information. It sounds like the firewall is rewriting the
> source address on those packets.
>
> --
> Tilghman
>
> --
> --
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To post to this group, send email to [email protected]
> To unsubscribe from this group, send email to
> [email protected]
> For more options, visit this group at
> http://groups.google.com/group/nlug-talk?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
--
You received this message because you are subscribed to the Google Groups
"NLUG" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nlug-talk?hl=en
---
You received this message because you are subscribed to the Google Groups
"NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
