Re: wierdness in my security report

From: Bruce A. Mah (bmah@FreeBSD.ORG)
Date: 07/18/02


To: "Craig Miller" <craig@millerfam.net>
From: "Bruce A. Mah" <bmah@FreeBSD.ORG>
Date: Thu, 18 Jul 2002 11:05:06 -0700


If memory serves me right, "Craig Miller" wrote:

> Anyone have any ideas as to what might be causing the following to =
> appear in my security report?
>
> arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on =
> dc0
> > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from =
> 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
> > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on =
> dc0
> > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from =
> 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0
>
> I thought those : delimited fields would be MAC addresses, but they =
> don't match the MAC addresses of either of the two cards in my free-bsd =
> box. I have not checked the MAC addresses of the other network cards on =
> my network.

It means that the MAC layer address associated with the IP address
12.236.220.1 changed. You don't get these messages for *your*
interfaces; you get them for other interfaces on networks directly
connected to your (in this case, dc0) interface.

If you and I have machines with interfaces on the same network, and I
power mine down, replace the network interface, and reboot, you'd get
this notification about my machine. You could also see this if someone
was successful at hijacking my IP address. There's many other
explanations, some benign and some not. See arp(4) for more details.

> Also, where does the "server /kernel" name come from. "kernel" is not =
> the name I gave my kernel, so I am suspicious.

/kernel is the pathname to your kernel (which is not the same as the
kernel configuration name).

Bruce.

PS. Please don't post multipart text and HTML emails to the lists.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message