i'm using 2.1-BETA0 (i386) [built on Fri Jul 13 19:59:57 EDT 2012], and see some unexpected behavior in the system and gateway logs. there are generally in chronological order, but not quite, and there is what seems like an odd jump prior to recent entries. for example, in the system log, there are what seem to be out of order entries between july 23 and 24:
Jul 23 20:39:44 gw1 sshd[32939]: Failed password for root from 37.123.96.242 port 58139 ssh2 Jul 24 00:58:39 ap2 ap3 ntp: Clock synchronized to network time server ntp.example.net (adjusted -0 seconds) Jul 23 21:04:11 gw1 dhclient: RENEW Jul 23 21:04:11 gw1 dhclient: Creating resolv.conf Jul 24 01:04:45 ap2 ap3 dot11: Rotated CCMP group key. Jul 23 21:34:11 gw1 dhclient: RENEW Jul 23 21:34:11 gw1 dhclient: Creating resolv.conf Jul 24 02:00:46 ap2 ap3 ntp: Clock synchronized to network time server ntp.example.net (adjusted -0 seconds) Jul 23 22:04:11 gw1 dhclient: RENEW Jul 23 22:04:11 gw1 dhclient: Creating resolv.conf Jul 24 02:04:45 ap2 ap3 dot11: Rotated CCMP group key. Jul 23 22:33:36 gw1 sshd[6531]: Did not receive identification string from 61.29.147.194 Jul 23 22:34:11 gw1 dhclient: RENEW Jul 23 22:34:11 gw1 dhclient: Creating resolv.conf Jul 23 22:35:49 gw1 sshd[37834]: Failed password for root from 61.29.147.194 port 60620 ssh2 Jul 23 22:35:51 gw1 sshd[38208]: Failed password for root from 61.29.147.194 port 28804 ssh2 Jul 23 22:35:53 gw1 sshd[38410]: Failed password for root from 61.29.147.194 port 51919 ssh2 Jul 23 22:35:55 gw1 sshd[38970]: Failed password for root from 61.29.147.194 port 61876 ssh2 Jul 23 22:35:57 gw1 sshd[39280]: Failed password for root from 61.29.147.194 port 39842 ssh2 Jul 23 22:35:58 gw1 sshd[39787]: Failed password for root from 61.29.147.194 port 22725 ssh2 Jul 23 22:36:00 gw1 sshd[40074]: Failed password for root from 61.29.147.194 port 61256 ssh2 Jul 23 22:36:02 gw1 sshd[40336]: Failed password for root from 61.29.147.194 port 5201 ssh2 Jul 23 22:36:04 gw1 sshd[40589]: Failed password for root from 61.29.147.194 port 33821 ssh2 Jul 23 22:36:06 gw1 sshd[40944]: Failed password for root from 61.29.147.194 port 52537 ssh2 Jul 23 22:36:08 gw1 sshd[41425]: Failed password for root from 61.29.147.194 port 52729 ssh2 Jul 23 22:36:10 gw1 sshd[54097]: Failed password for root from 61.29.147.194 port 54599 ssh2 Jul 23 22:36:12 gw1 sshd[54565]: Failed password for root from 61.29.147.194 port 59313 ssh2 Jul 23 22:36:14 gw1 sshd[54904]: Failed password for root from 61.29.147.194 port 3380 ssh2 Jul 23 22:36:16 gw1 sshd[55413]: Failed password for root from 61.29.147.194 port 36063 ssh2 Jul 23 22:36:16 gw1 sshlockout[14378]: Locking out 61.29.147.194 after 15 invalid attempts Jul 23 23:04:11 gw1 dhclient: RENEW Jul 23 23:04:11 gw1 dhclient: Creating resolv.conf Jul 24 03:04:45 ap2 ap3 dot11: Rotated CCMP group key. Jul 24 03:06:10 ap2 ap3 ntp: Clock synchronized to network time server ntp.example.net (adjusted -0 seconds) Jul 23 23:34:11 gw1 dhclient: RENEW Jul 23 23:34:11 gw1 dhclient: Creating resolv.conf Jul 23 23:47:48 gw1 sshd[1670]: Failed password for root from 123.30.140.22 port 58986 ssh2 Jul 23 23:47:50 gw1 sshd[2048]: Failed password for root from 123.30.140.22 port 59745 ssh2 Jul 23 23:47:52 gw1 sshd[2396]: Failed password for root from 123.30.140.22 port 60283 ssh2 Jul 23 23:47:54 gw1 sshd[2702]: Failed password for root from 123.30.140.22 port 60979 ssh2 Jul 23 23:47:56 gw1 sshd[2929]: Failed password for root from 123.30.140.22 port 33302 ssh2 Jul 23 23:47:59 gw1 sshd[3329]: Failed password for root from 123.30.140.22 port 33962 ssh2 Jul 23 23:48:01 gw1 sshd[3475]: Failed password for root from 123.30.140.22 port 34545 ssh2 Jul 23 23:48:03 gw1 sshd[3623]: Failed password for root from 123.30.140.22 port 51781 ssh2 Jul 23 23:48:05 gw1 sshd[3926]: Failed password for root from 123.30.140.22 port 52567 ssh2 Jul 23 23:48:07 gw1 sshd[4610]: Failed password for root from 123.30.140.22 port 53028 ssh2 Jul 23 23:48:10 gw1 sshd[5022]: Failed password for root from 123.30.140.22 port 53791 ssh2 Jul 23 23:48:12 gw1 sshd[5295]: Failed password for root from 123.30.140.22 port 54429 ssh2 Jul 23 23:48:14 gw1 sshd[5412]: Invalid user oracle from 123.30.140.22 Jul 23 23:48:14 gw1 sshd[5412]: Failed password for invalid user oracle from 123.30.140.22 port 54980 ssh2 Jul 23 23:48:16 gw1 sshd[5524]: Invalid user test from 123.30.140.22 Jul 23 23:48:16 gw1 sshlockout[14378]: Locking out 123.30.140.22 after 15 invalid attempts Jul 23 23:48:16 gw1 sshd[5524]: Failed password for invalid user test from 123.30.140.22 port 55636 ssh2 Jul 23 23:48:16 gw1 sshlockout[14378]: Locking out 123.30.140.22 after 15 invalid attempts Jul 24 00:04:11 gw1 dhclient: RENEW Jul 24 00:04:11 gw1 dhclient: Creating resolv.conf Jul 24 04:04:45 ap2 ap3 dot11: Rotated CCMP group key. there is also what seems like missing log data prior to jul 23 - but the log entries for the dec 31 dates are actually more recent, so i think they may be just mis-labelled/dated [i know this because the ip address present in the log entries is from my current isp, whom i have only been with for a few months.]: please note that i've substituted my public address/gateway with rfc 3330 test-net address space Dec 31 19:01:04 gw1 kernel: coretemp0: <CPU On-Die Thermal Sensors> on cpu0 Dec 31 19:01:04 gw1 kernel: pflog0: promiscuous mode enabled Dec 31 19:01:04 gw1 php: : rc.newwanip: Informational is starting msk0. Dec 31 19:01:04 gw1 php: : rc.newwanip: on (IP address: 192.0.2.100) (interface: wan) (real interface: msk0). Dec 31 19:01:04 gw1 check_reload_status: Linkup starting ue0 Dec 31 19:01:04 gw1 kernel: ue0: link state changed to UP Dec 31 19:01:04 gw1 php: : ROUTING: setting default route to 192.0.2.1 Jul 23 19:30:11 ap2 ap3 ntp: Clock synchronized to network time server ntp.example.net (adjusted -0 seconds) Dec 31 19:01:05 gw1 check_reload_status: Reloading filter Dec 31 19:01:07 gw1 php: : ROUTING: setting default route to 192.0.2.1 Dec 31 19:01:08 gw1 check_reload_status: Updating all dyndns Jul 23 15:34:18 gw1 check_reload_status: Restarting ipsec tunnels Jul 23 15:34:20 gw1 php: : Creating rrd update script Jul 23 15:34:21 gw1 php: : Restarting/Starting all packages. Jul 23 15:34:28 gw1 check_reload_status: Reloading filter Jul 23 15:34:36 gw1 login: login on ttyv0 as admin Jul 23 15:34:36 gw1 login: ROOT LOGIN (admin) ON ttyv0 Jul 23 15:34:36 gw1 login: ROOT LOGIN (admin) ON ttyv0 Jul 23 15:34:36 gw1 sshlockout[14378]: sshlockout/webConfigurator v3.0 starting up Jul 23 15:35:18 gw1 sshd[17539]: Accepted keyboard-interactive/pam for admin from 192.168.1.123 port 56180 ssh2 Jul 23 16:04:09 gw1 dhclient: EXPIRE Jul 23 16:04:09 gw1 dhclient: Deleting old routes Jul 23 16:04:09 gw1 dhclient: PREINIT Jul 23 16:04:09 gw1 dhclient: ARPSEND i see this above behaviors in both the web interface, and when using the clog command from a shell. is any of this expected behavior? if not, what can i do to collect more clues about why it is happening? thanks -ben _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
