Linux - martian source in /var/log/messages

linux networking log-files dmesg

38,006

Solution 1

If a host on a network cannot obtain a network address via DHCP, an address from 169.254.1.0 to 169.254.254.255 may be assigned pseudorandomly. So it's an interface without connection to the internet. That is what ARIN is telling you. If someone tries to send something to this address, it is called a martian packet.

What is plugged into usb0?

Solution 2

You don't tell us what the IP address of USB0 is but I guess it's not in the link local subnet so packets arriving at usb0 from link local will be 'martian'. This is a widely quoted explantion

These are packets that Linux does not expect from the direction they came from (i.e. packets from internal hosts coming in on the external interface). The cause is probably a misconfigured machine on your LAN. You can turn off logging those packets via /proc/sys/net/ipv4/conf/interface/log_martians which is documented in /usr/src/linux/Documentation/proc.txt

Solution 3

Wikipedia: http://en.wikipedia.org/wiki/APIPA

You can turn off martian logging if you want:

echo 0 > /proc/sys/net/ipv4/conf/{all,default}/log_martians

Solution 4

It's not advised to stop logging martians. However, If you need to stop amend with kernel parameters as follows.

Edit sysctl and add change 1 to 0 and make sure to replace "ens192 and ens224" with your interface name. This will stop logging martians.

# vi /etc/sysctl.d/99-sysctl.conf

Change as shown below.

net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.ens192.log_martians = 0
net.ipv4.conf.ens224.log_martians = 0

Apply it by running

# sysctl -p /etc/sysctl.d/99-sysctl.conf

Hope this will help for someone.

Solution 5

I really would not turn off logging the martians: they typically are logged on production machines and this to protect against an aggression.

One hit every few seconds is probably a misconfigured machine, but on the day your server is attacked, you would have valuable info in the logs.

Best bet is, keep logging and look for a misconfigured machine if it is not too many machines to look at --it is likely to be a machine near.

View more solutions

38,006

edumike

SOreadytohelp

Updated on September 17, 2022

Comments

edumike almost 2 years

I keep getting these messages in /var/log/messages :

Mar  8 23:17:25 saas1 kernel: martian source 169.254.1.1 from 169.254.95.118, on dev usb0
Mar  8 23:17:25 saas1 kernel: ll header: ff:ff:ff:ff:ff:ff:00:21:5e:de:1b:be:08:06

Over and over every 5 seconds there's another report exactly the same way.

I did a whois on 169.254.95.118 and get a strange message back also:

http://whois.arin.net/rest/nets;q=169.254.95.118?showDetails=true&showARIN=false

This is the "link local" block. It was set
aside for this special use in the Standards 
Track document, RFC 3927 and was further
documented in the Best Current Practice
RFC 5735, which can be found at:
http://www.rfc-editor.org/rfc/rfc3927.txt
http://www.rfc-editor.org/rfc/rfc5735.txt
It is allocated for communication between hosts 
on a single link. Hosts obtain these addresses 
by auto-configuration, such as when a DHCP 
server cannot be found.
A router MUST NOT forward a packet with an IPv4 
Link-Local source or destination address, 
irrespective of the router's default route configuration 
or routes obtained from dynamic routing protocols. 
A router which receives a packet with an IPv4 
Link-Local source or destination address MUST NOT 
forward the packet. This prevents forwarding of 
packets back onto the network segment from which 
they originated, or to any other segment.

poige over 5 years

voted to close as it's unclear what you're asking. Also site has lots of Q&A about "martians"

edumike over 13 years

So there's nothing else going wrong here? I'd rather I didn't get them at all be to honest, though I don't know what's causing them.
edumike over 13 years

I don't know what's plugged into USB0, it's on an offsite server. I might have to ask them what's going on with it. This was put together before I started working in my job but the guys there don't think that they were using a USB ethernet port. I might get one of the offsite guys to tell me what's physically plugged in. I can't figure it out with dmesg/lspci/lshw
user9517 over 13 years

@edumike: There is likely something misconfigured on your network as it is sending packets to your machine when it shouldn't. You can try and track that machine down and fix it's configuration or you can just turn off logging as per pepoluan's answer.
Brian Minton over 7 years

This did not work for me.
pepoluan over 7 years

@BrianMinton this only disables kernel's logging. if your iptables rules have explicit Martian logging, then you need to remove those, too.
Brian Minton almost 7 years

No, I don't have any iptables rules at all.