[BUGS] Strange NIC behavior

jonathan michaels jlm at caamora.com.au
Mon Jan 14 11:53:54 EST 2008 

On Mon, Jan 14, 2008 at 04:00:27AM +1100, Jerahmy Pocott wrote:
> Hmm,
> 
> I'v noticed in my security logs recently a messages saying that fxp0  
> link state changed to down/up a number of times.. At first I didn't  
> think much of it but it has continued to happen.. There are also a  
> massive amount of ntpd messages in /var/log/messages..
> 
> Here is a snippet:
> 
> Jan 13 11:15:59 beastie ntpd[540]: kernel time sync enabled 6001
> Jan 13 11:33:03 beastie ntpd[540]: kernel time sync enabled 2001
> Jan 13 12:58:29 beastie ntpd[540]: kernel time sync enabled 6001
> Jan 13 13:15:33 beastie ntpd[540]: kernel time sync enabled 2001
> Jan 13 14:44:41 beastie kernel: fxp0: link state changed to DOWN
> Jan 13 14:44:43 beastie kernel: fxp0: link state changed to UP
> Jan 13 14:48:11 beastie kernel: fxp0: link state changed to DOWN
> Jan 13 14:48:12 beastie kernel: fxp0: link state changed to UP
> Jan 13 14:58:00 beastie ntpd[540]: kernel time sync enabled 6001
> Jan 13 15:15:05 beastie ntpd[540]: kernel time sync enabled 2001
> Jan 13 17:31:42 beastie ntpd[540]: kernel time sync enabled 6001
> Jan 13 17:48:47 beastie ntpd[540]: kernel time sync enabled 2001
> 
> I'm not sure why the time sync keeps changing between 6001 and 2001?  

it happens to you too, wonder how many others are having this
issue as well,

on this host, it is a proliant 1850 that will not boot v6.2
(any v6 freebsd) and is currently running freebsd ..

FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005

with this ethernet card tl0: <Compaq Netelligent 10/100 Proliant>,
i have a few others with fxp0 nics and i don't recall seeing
the up/down cycling, if its important i can pull a fxp0 and put
into a working machine, but from teh below i do not think that
your two behavious are intimately linked ???

Nov 27 07:19:43 caamora sshd[70648]: fatal: Timeout before authentication for 202.188.101.103
Nov 27 10:32:21 caamora sudo:      jlm : TTY=ttyp4 ; PWD=/home/jlm ; USER=root ; COMMAND=/usr/sbin/ntpd -c /etc/ntp.conf
Nov 27 10:32:21 caamora ntpd[71046]: ntpd 4.2.0-a Sun May  8 06:01:21 UTC 2005 (1)
Nov 27 10:44:04 caamora ntpd[71046]: time reset +184.407138 s
Nov 27 10:44:04 caamora ntpd[71046]: kernel time sync disabled 2041
Nov 27 11:02:12 caamora ntpd[71046]: kernel time sync enabled 2001
Nov 27 16:18:19 caamora ntpd[71046]: kernel time sync enabled 6001
Nov 27 16:24:12 caamora ntpd[71046]: kernel time sync enabled 2001

before this i have no mention of this behaviour going back a
year, two, possibly, not sure.

> It is happening constantly.. But there are also a number of these  
> cases, always in pairs like you can see here where the link state  
> changes to down, then to up, then to down, then back up again ALWAYS  
> spaced 4 minutes apart from each other with the link coming back up  
> within 1-2 seconds. This seems to be happening every 2-6 hours!

maybe you have two different issues ?? 
 
> Since it's always 4 minutes between the two up/down cycles this has to  
> be some sort of programmed behavior..

that sounds sane to me
 
> I'v also been experiencing a very large volume of brute force attacks  
> on this machines sshd, seeming to be coming from taiwan.. Could this  
> be related some how? Perhaps it's some sort of attack?

i'm getting some sshd assaults, possibly being throttled with
teh new (for me) pf firewall .. i got a basic firewall config
from a friend but i need to become familiar and rebuild it a
bit tighter .. well thats the plan.

i've just done a quick poll on all teh machines and most of
them are doing teh 2001/6001 business, except teh old reliable
p5 running v2.2.5-release.

regards

jonathan

-- 
================================================================
powered by ..
QNX, OS9 and freeBSD  --  http://caamora com au/operating system
==== === appropriate solution in an inappropriate world === ====

More information about the BUGS mailing list