Linux - martian source in /var/log/messages
Solution 1
If a host on a network cannot obtain a network address via DHCP, an address from 169.254.1.0 to 169.254.254.255 may be assigned pseudorandomly. So it's an interface without connection to the internet. That is what ARIN is telling you. If someone tries to send something to this address, it is called a martian packet.
What is plugged into usb0?
Solution 2
You don't tell us what the IP address of USB0 is but I guess it's not in the link local subnet so packets arriving at usb0 from link local will be 'martian'. This is a widely quoted explantion
These are packets that Linux does not expect from the direction they came from (i.e. packets from internal hosts coming in on the external interface). The cause is probably a misconfigured machine on your LAN. You can turn off logging those packets via /proc/sys/net/ipv4/conf/interface/log_martians which is documented in /usr/src/linux/Documentation/proc.txt
Solution 3
Wikipedia: http://en.wikipedia.org/wiki/APIPA
You can turn off martian logging if you want:
echo 0 > /proc/sys/net/ipv4/conf/{all,default}/log_martians
Solution 4
It's not advised to stop logging martians. However, If you need to stop amend with kernel parameters as follows.
Edit sysctl and add change 1 to 0 and make sure to replace "ens192 and ens224" with your interface name. This will stop logging martians.
# vi /etc/sysctl.d/99-sysctl.conf
Change as shown below.
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.ens192.log_martians = 0
net.ipv4.conf.ens224.log_martians = 0
Apply it by running
# sysctl -p /etc/sysctl.d/99-sysctl.conf
Hope this will help for someone.
Solution 5
I really would not turn off logging the martians: they typically are logged on production machines and this to protect against an aggression.
One hit every few seconds is probably a misconfigured machine, but on the day your server is attacked, you would have valuable info in the logs.
Best bet is, keep logging and look for a misconfigured machine if it is not too many machines to look at --it is likely to be a machine near.
Related videos on Youtube
Comments
-
edumike almost 2 years
I keep getting these messages in /var/log/messages :
Mar 8 23:17:25 saas1 kernel: martian source 169.254.1.1 from 169.254.95.118, on dev usb0 Mar 8 23:17:25 saas1 kernel: ll header: ff:ff:ff:ff:ff:ff:00:21:5e:de:1b:be:08:06
Over and over every 5 seconds there's another report exactly the same way.
I did a whois on 169.254.95.118 and get a strange message back also:
http://whois.arin.net/rest/nets;q=169.254.95.118?showDetails=true&showARIN=false
This is the "link local" block. It was set aside for this special use in the Standards Track document, RFC 3927 and was further documented in the Best Current Practice RFC 5735, which can be found at: http://www.rfc-editor.org/rfc/rfc3927.txt http://www.rfc-editor.org/rfc/rfc5735.txt It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server cannot be found. A router MUST NOT forward a packet with an IPv4 Link-Local source or destination address, irrespective of the router's default route configuration or routes obtained from dynamic routing protocols. A router which receives a packet with an IPv4 Link-Local source or destination address MUST NOT forward the packet. This prevents forwarding of packets back onto the network segment from which they originated, or to any other segment.
-
poige over 5 yearsvoted to close as it's unclear what you're asking. Also site has lots of Q&A about "martians"
-
-
edumike over 13 yearsSo there's nothing else going wrong here? I'd rather I didn't get them at all be to honest, though I don't know what's causing them.
-
edumike over 13 yearsI don't know what's plugged into USB0, it's on an offsite server. I might have to ask them what's going on with it. This was put together before I started working in my job but the guys there don't think that they were using a USB ethernet port. I might get one of the offsite guys to tell me what's physically plugged in. I can't figure it out with dmesg/lspci/lshw
-
user9517 over 13 years@edumike: There is likely something misconfigured on your network as it is sending packets to your machine when it shouldn't. You can try and track that machine down and fix it's configuration or you can just turn off logging as per pepoluan's answer.
-
Brian Minton over 7 yearsThis did not work for me.
-
pepoluan over 7 years@BrianMinton this only disables kernel's logging. if your
iptables
rules have explicit Martian logging, then you need to remove those, too. -
Brian Minton almost 7 yearsNo, I don't have any iptables rules at all.