I have these messages that are driving me mad. The really litter my /var/log/warn.
Jan 24 10:55:35 linux-w779 kernel: 7162.780285] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0Jan 24 10:55:35 linux-w779 kernel: 7162.780293] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:55:35 linux-w779 kernel: 7162.780304] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0
Jan 24 10:55:35 linux-w779 kernel: 7162.780308] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:55:35 linux-w779 kernel: 7162.780317] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0
Jan 24 10:55:35 linux-w779 kernel: 7162.780321] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:55:35 linux-w779 kernel: 7163.017901] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0
Jan 24 10:55:35 linux-w779 kernel: 7163.017910] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:55:36 linux-w779 kernel: 7163.495184] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0
Jan 24 10:55:36 linux-w779 kernel: 7163.495192] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:55:37 linux-w779 kernel: 7164.449613] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0
Jan 24 10:55:37 linux-w779 kernel: 7164.449622] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:55:39 linux-w779 kernel: 7166.358308] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0
Jan 24 10:55:39 linux-w779 kernel: 7166.358316] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:55:43 linux-w779 kernel: 7170.175756] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0
Jan 24 10:55:43 linux-w779 kernel: 7170.175764] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:55:50 linux-w779 kernel: 7177.810563] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0
Jan 24 10:55:50 linux-w779 kernel: 7177.810570] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:55:58 linux-w779 pidof[27006]: can't read from 26977/stat
Jan 24 10:56:00 linux-w779 kernel: 7187.793962] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0
Jan 24 10:56:00 linux-w779 kernel: 7187.793971] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:56:02 linux-w779 pidof[27053]: can't read from 27044/stat
Jan 24 10:56:10 linux-w779 kernel: 7197.776844] IPv4: martian source 192.168.1.7 from 173.194.70.106, on dev eth0
Jan 24 10:56:10 linux-w779 kernel: 7197.776852] ll header: 00000000: 5c ff 35 06 cd 99 c8 d7 19 89 00 05 08 00 \.5...........
Jan 24 10:56:14 linux-w779 pidof[27189]: can't read from 27166/stat
Jan 24 10:57:30 linux-w779 pidof[28083]: can't read from 28059/stat
Jan 24 10:58:06 linux-w779 pidof[28532]: can't read from 28496/stat
Jan 24 10:58:42 linux-w779 pidof[28958]: can't read from 28955/stat
Jan 24 10:59:02 linux-w779 pidof[29180]: can't read from 29191/stat
Jan 24 10:59:26 linux-w779 pidof[29477]: can't read from 29481/stat
Jan 24 10:59:42 linux-w779 pidof[29669]: can't read from 29672/stat
Jan 24 10:59:42 linux-w779 pidof[29678]: can't read from 29669/stat
Jan 24 11:01:02 linux-w779 pidof[30649]: can't read from 30638/stat
Jan 24 11:01:06 linux-w779 pidof[30717]: can't read from 30698/stat
Jan 24 11:01:10 linux-w779 pidof[30756]: can't read from 30725/stat
Jan 24 11:01:14 linux-w779 pidof[30804]: can't read from 30813/stat
Jan 24 11:01:18 linux-w779 pidof[30846]: can't read from 30822/stat
Jan 24 11:01:42 linux-w779 pidof[31130]: can't read from 31126/stat
Jan 24 11:02:18 linux-w779 pidof[31565]: can't read from 31522/stat
Jan 24 11:02:18 linux-w779 pidof[31559]: can't read from 31530/stat
Jan 24 11:03:22 linux-w779 pidof[32310]: can't read from 32293/stat
Jan 24 11:03:42 linux-w779 pidof[32532]: can't read from 32527/stat
Jan 24 11:05:06 linux-w779 pidof[1152]: can't read from 1098/stat
Jan 24 11:05:58 linux-w779 pidof[1873]: can't read from 1821/stat
Jan 24 11:08:30 linux-w779 pidof[3872]: can't read from 3836/stat
Jan 24 11:10:34 linux-w779 pidof[5373]: can't read from 5392/stat
Jan 24 11:11:14 linux-w779 pidof[5857]: can't read from 5821/stat
Jan 24 11:11:26 linux-w779 pidof[6000]: can't read from 5974/stat
Jan 24 11:11:50 linux-w779 pidof[6278]: can't read from 6269/stat
Jan 24 11:12:18 linux-w779 pidof[6601]: can't read from 6594/stat
Jan 24 11:12:50 linux-w779 pidof[7000]: can't read from 6973/stat
Jan 24 11:12:54 linux-w779 pidof[7026]: can't read from 7007/stat
Jan 24 11:13:26 linux-w779 pidof[7426]: can't read from 7434/stat
Jan 24 11:14:10 linux-w779 pidof[7952]: can't read from 7925/stat
Jan 24 11:15:14 linux-w779 pidof[8738]: can't read from 8719/stat
Jan 24 11:15:30 linux-w779 pidof[8933]: can't read from 8889/stat
Jan 24 11:15:42 linux-w779 pidof[9091]: can't read from 9058/stat
Jan 24 11:17:18 linux-w779 pidof[10223]: can't read from 10210/stat
Jan 24 11:18:50 linux-w779 pidof[11302]: can't read from 11303/stat
Jan 24 11:19:38 linux-w779 pidof[11879]: can't read from 11883/stat
Jan 24 11:19:42 linux-w779 pidof[11908]: can't read from 11902/stat
Jan 24 11:19:50 linux-w779 pidof[12018]: can't read from 12012/stat
Jan 24 11:19:54 linux-w779 pidof[12067]: can't read from 12057/stat
Jan 24 11:20:14 linux-w779 pidof[12296]: can't read from 12294/stat
Jan 24 11:20:34 linux-w779 pidof[12544]: can't read from 12542/stat
Jan 24 11:21:22 linux-w779 pidof[13089]: can't read from 13070/stat
Jan 24 11:21:22 linux-w779 pidof[13110]: can't read from 13092/stat
Jan 24 11:21:34 linux-w779 pidof[13245]: can't read from 13218/stat
Jan 24 11:22:02 linux-w779 pidof[13566]: can't read from 13555/stat
Jan 24 11:22:10 linux-w779 pidof[13667]: can't read from 13656/stat
Jan 24 11:22:54 linux-w779 pidof[14187]: can't read from 14164/stat
Jan 24 11:23:58 linux-w779 pidof[14946]: can't read from 14938/stat
Jan 24 11:24:14 linux-w779 pidof[15134]: can't read from 15137/stat
Jan 24 11:24:26 linux-w779 pidof[15280]: can't read from 15278/stat
Jan 24 11:24:54 linux-w779 pidof[15605]: can't read from 15590/stat
Jan 24 11:25:02 linux-w779 pidof[15711]: can't read from 15680/stat
Jan 24 11:25:42 linux-w779 pidof[16173]: can't read from 16164/stat
Jan 24 11:25:50 linux-w779 pidof[16281]: can't read from 16262/stat
Jan 24 11:26:14 linux-w779 pidof[16555]: can't read from 16551/stat
Jan 24 11:26:50 linux-w779 pidof[16966]: can't read from 16953/stat
Jan 24 11:27:14 linux-w779 pidof[17267]: can't read from 17232/stat
Jan 24 11:27:38 linux-w779 pidof[17542]: can't read from 17548/stat
Jan 24 11:27:58 linux-w779 pidof[17780]: can't read from 17775/stat
So what are all these: can’t read from. I do not understand where the issue comes from. Tried to google but nothing.
Second thing:
martian sources are usually a problem with configuration. But it does not seem I have a config problem. I have a “dump” modem bridged with a router setup with NAT.
So, this router does not have any server activated and even the wlanpart is off. Or are these attempts to get into my system using internal IP addresses? And a router if setup correctly should not forward these packages, right? So something is wrong here.
a) what are these cannot read from messages? How can I find out.
b) what configuration could be wrong to get martian sources?
c) if these martians are effectively are coming from outside, would it be possible to blacklist in automatic these IP addresse after let us say 5 attempts? How would I do this?
As this concerns maybe network, maybe not, I post it here. Just to see if I manage to get an answer already on the “cannot read” part that is littering in an unbelievable way my log.
Hello arvidjaar.
Thank you for the reply. A race condition is AFAIR a security risk, right? Should I file a bug report? How can I find out which processes encounter this problem and why? I admit I do not have any knowledge about the problematic of race conditions and about how to find the reason/origin. Can I protocol somehow which process was involved instead of having only process numbers recorded?
Thank you.
Martian sources: these are of external IPs (quite some of them) but I have no clue how they can come through the original router software (running a NAT). Will try to solve this after understanding the first problem. One step at the time.
Not neccessarily. I do not see any security risk here.
How can I find out which processes encounter this problem and why?
Well, it is pidof as is clear written in message. Now if you ask which process calls pidof - you can replace it with script that outputs process list at this time and calls real pidof.
I’m not convinced that this is a race condition. Perhaps it is, but there is too little evidence provided.
Several years ago, there was one system at work that I was required to connect to via a VPN. And the VPN forced all connections to my work network to go via the VPN.
I might make an ssh connection to one work computer. Then I opened the VPN to go to the other. If I tried using the ssh connection while the VPN was up, then packets to the ssh destination would go through the VPN, so they would bypass my home router. The result was that they were seen on the destination with a source IP of 192.168.*, instead of my public IP address.
There are lots of things that can lead to Martian source messages.
It is. pidof works by listing current /proc content and reading attributes for each process. Of course in the meantime process can vanish. It is inherently racy.
This substantially describes what is on my machine running.
Provided that SSH should be deactivated (by my settings) on the machine, and root login ssh is not possible either. SSHd is off. No other connection should take place but with kde the postfix servers for pop start right away when you log in. I have a VPN to connect to my provider. All traffic should be routed through this. No other connection should try to connect to nothing if not through the VPN. If misconfigured that could give such a result. So, what apart of ssh could be the cause? Would netstat command give a help on this?
If the answer to this is yes then probably this thread should be shifted to network.
Wenn I run
netstat -l
This gives me about 5 ports listening but a incredible long list of udp stuff. But not a single one of these udp ones bear listen.
Which of these could be the origin of the problem (thankful for every idea). I think you got it absolutely right with the situation you describe. If I well understand only the ones listening are the ones that can give this kind of problem you describe. Right?
I see privoxy (that I run with tor as daemon - but that should not listen to outside addresses). Cups but the firewallports are closed and no network-printer attached (IPP).
Besides I do not understand why there is *.ipp.
smtp is logic because of kmail. 192, 168.100.1 “should” be kvm that did constitute two bridges. I am incredibly bad in networking and in my understanding of networking. So if you see a disaster here to be fixed at once please tell me.
Maybe I find out about the little green men at least.
If you can find the port numbers (maybe check the firewall logs), you might be able to use “lsof” to identify the process involved.
Are those IP addresses 192.168.1.7 and 173.194.70.106 yours? If not, I would not worry about it. These could be due to another system with a VPN. In a VPN environment, expect some martian source messages.
Now I reinstalled completely the system. I deactivated udev in the router I have.
I do not have any printer attached or installed and I do not have the samba server running.
And I get this today again and since nearly nothing is on this machine maybe this time I am getting it why with your help.
So I get a martian source with the configuration address of my router. followed by it I find in /var/log/warn:
kernel: 445.347001] ll header: 00000000: ff ff ff ff ff ff c8 d7 19 89 00 05 08 00 ..............
Jan 29 13:01:08 linux if-up.d/21-dhcpcd-hook-samba: No dhcpcd info nor dhclient leases file found for eth0.
Jan 29 14:00:24 linux udev-configure-printer: Failed to get parent
Jan 29 14:00:25 linux udev-configure-printer: Failed to get parent
So, cupsd is not started (I controlled I have no printer installed, not even a printer-driver database built). I had samba installed but not startet. As I will not use it, I uninstalled it now right away. But apparently I have a router config problem? In the router udev is deactivated.
So what means:
if-up.d/21-dhcpcd-hook-samba??
Is this a cron job trying to find printer with udev?
How can I switch it off terminally?
And why does this happen after a martian source on a fresh installed system. Here to be clear nothing is running. Kmail is off and not configured. Nothing is used, all virgin.
How to find the “mysterious” problem of the martian sources?
As this is annoying, every help will be appreciated. There is obviously a configuration problem with dhcp. And this time it is without VPN. So no VPN environment running. The router has the dhcp server active. It is behind a modem in bridged mode with the dhcp server deactivated (and handles everything). I am behind a NAT and all services from outside are blocked. So it must be the router having a config problem…?
I am not configuring anything on this machine. Why is then the script running (samba was set to off, cupsd to off, as I do not have any printer locally or in the network attached to the machine? It is really getting ugly once the system will get fully installed. So better get rid of it immediately. ifconfig gave also “intrastar” and “bootpc”. You know what these programs/udp ports are good for by any chance?
This script should normally run exactly once after boot when interface is brought up. It is hardly can litter anything. From cursory look, message appears when NetworkManager is used and interface is set to static address. It is entirely cosmetic. If my assumption is correct, you may open but report if you wish.
