Linux – Why promiscuous mode gets set automatically — and should I be worried

linuxnetworking

Our general webhosting server (LAMP with Parallels Plesk) started to turn PROMISCUOUS mode ON on eth0 "by itself".

I noticed the change in configuration on 2013-11-08 when rkhunter warned us from "Possible promiscuous interfaces" which hadn't happened before. After a bit of googling I didn't find any real use case for promiscuous mode on our server, so I disabled it using # ifconfig eth0 -promisc only to find out a day later the flag has been re-set.

Here's what kernel logs says:

Nov  8 14:51:31 hallinta kernel: [3301285.098047] klogd1 uses obsolete (PF_INET,SOCK_PACKET)
Nov  8 14:51:31 hallinta kernel: [3301285.099528] device eth0 entered promiscuous mode
Nov 11 08:34:18 hallinta kernel: [3537242.374911] device eth0 left promiscuous mode
Nov 12 07:46:30 hallinta kernel: [3620559.485388] device eth0 entered promiscuous mode
Nov 13 08:47:36 hallinta kernel: [3710393.877512] device eth0 left promiscuous mode
Nov 14 07:53:49 hallinta kernel: [3793353.202243] device eth0 entered promiscuous mode
Nov 14 09:16:03 hallinta kernel: [3798274.154435] device eth0 left promiscuous mode

I included the klogd1 message because of its immediate timestamp. From auth logs I didn't see any suspicious activity around the first "entered promiscuous mode" message.

As the two enterings' timestamps are roughly similar I checked if I had any cronjobs running around that time. Most of the daily jobs (I searched with this tool) are run at 06:25 the latest and next job is run at 08:00. None of those 06:25 jobs contained the words ifconfig or promisc.

What could set promiscuous mode ON on eth0 interfaces and should I be worried? (I am, but should I be?) Is there any legit reason promiscuous mode should be set on?

Best Answer

If vnstat is the process putting the interface in promiscuous mode, check its logfiles and see if thit is logged (depends on logging verbosity of course). If there is no reason to monitor traffic, just disable it and see how it goes.

I suspect that promiscuous mode must be on while rkhunter is running, in order for rkhunter to detect it.

What is very very weird, is this:

Nov  8 14:51:31 hallinta kernel: [3301285.098047] klogd1 uses obsolete (PF_INET,SOCK_PACKET)
Nov  8 14:51:31 hallinta kernel: [3301285.099528] device eth0 entered promiscuous mode

AFAIK there is no such thing as klogd1 (there is a klogd of course), and there shouldn't be one. Take the time to check if there is a binary under that name and if there is a klogd1 process (if yes, find what it is doing). If vnstat is not doing that, then there is a high chance that your machine might have been compromised.

Best Answer

Related Solutions

Linux – How to set up internal routing between virtual interfaces and real ethernet interface (Linux)

Linux – After installing Debian squeeze ethernet does not come up

Related Topic