Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
gentoo system crash
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
squirrelsoup
Tux's lil' helper
Tux's lil' helper


Joined: 29 Dec 2016
Posts: 98

PostPosted: Thu Jan 26, 2017 11:41 am    Post subject: gentoo system crash Reply with quote

today while i was playing online game my gentoo boxed crashed hard i had to hard reset it, the keyboard and mouse did not respond.
i have been customizing the genkernel slightly however i am not sure if my gentoo box got hacked.
i have little knowledge about Linux, can someone look into my log files to see what caused to system crash?

Xorg.0.log - https://paste.pound-python.org/show/J116odahtRl6rAogke8Q/
messages - https://paste.pound-python.org/show/MVILFdVzy2MJYZpUF4nJ/
dmesg - https://paste.pound-python.org/show/wOILcrL5TisvmTlVSzBD/
genkernel.log - https://paste.pound-python.org/show/qnQjAvu0kEcExvvXbskr/

i also noticed this is my aide check:
Code:
Directory: /lib64/rc/console
 Mtime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52
 Ctime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52

File: /lib64/rc/console/keymap
 Mtime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52
 Ctime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52

File: /lib64/rc/console/unicode
 Mtime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52
 Ctime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52

did my box got pwned or did something else caused the system crash?


Last edited by squirrelsoup on Thu Jan 26, 2017 12:48 pm; edited 1 time in total
Back to top
View user's profile Send private message
lexflex
Guru
Guru


Joined: 05 Mar 2006
Posts: 343
Location: the Netherlands

PostPosted: Thu Jan 26, 2017 11:54 am    Post subject: Reply with quote

Hi,

Isn't it more likely the system overheated during gaming ?
Btw, if you say 'online game' , do you mean an ' in browser' game ?
Maybe start monitoring your temperature and see if the systems stays cool enough when playing...


Alex.
Back to top
View user's profile Send private message
squirrelsoup
Tux's lil' helper
Tux's lil' helper


Joined: 29 Dec 2016
Posts: 98

PostPosted: Thu Jan 26, 2017 12:15 pm    Post subject: Reply with quote

its not browser game, its a client that runs on openGL, i regularly check lm_sensors for temperature, but at the moment the crash happened i did not check but i doubt anything temperature related.
i was however vacuum cleaning my desk near my computer at the time of the crash.
also recently i noticed that the game client (runescape) at crowded in game places hogs up to 5GB ram out of 8GB ram installed, usually what happens is that it kills the game client, however now i had entire system crash.
because of my paranoia i instantly think about a remotely cracked computer.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42560
Location: 56N 3W

PostPosted: Thu Jan 26, 2017 12:23 pm    Post subject: Reply with quote

squirrelsoup,

We have had this discussion before. You should reread your previous thread.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
squirrelsoup
Tux's lil' helper
Tux's lil' helper


Joined: 29 Dec 2016
Posts: 98

PostPosted: Thu Jan 26, 2017 12:48 pm    Post subject: Reply with quote

yes Neddy, i have read the previous thread very closely, and for me it boils down to: you never know if you got hacked.

in this particular case, i wonder what have caused the system crash, because that does not seem healthy for the system.
i will change the topic title now.
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Thu Jan 26, 2017 12:55 pm    Post subject: Reply with quote

Quote:
Jan 25 22:07:02 gewooneenkoeienprodbox kernel:
Jan 25 22:07:34 gewooneenkoeienprodbox gpasswd[20830]: user wtfuberkoeindebox added by root to group video
Jan 25 21:08:36 gewooneenkoeienprodbox shutdown[20844]: shutting down for system reboot
Jan 25 21:08:36 gewooneenkoeienprodbox init[1]: Switching to runlevel: 6
Jan 25 21:08:37 gewooneenkoeienprodbox openrc[20856]: Clock skew detected with `/etc/init.d'
Jan 25 21:08:37 gewooneenkoeienprodbox openrc[20856]: WARNING: clock skew detected!


Whats up with your hardware / software clock?

Is this a broken installation, not well maintained one?

Quote:
Jan 25 21:10:50 gewooneenkoeienprodbox pulseaudio[3921]: [pulseaudio] authkey.c: Failed to open cookie file '/home/wtfuberkoeindebox/.config/pulse/cookie': No such file or directory


Quote:
Jan 25 22:02:52 gewooneenkoeienprodbox dhcpcd[3749]: enp2s0: failed to renew DHCP, rebinding


Also wahts up with those cron jobs regularly spamming in the log?

I never saw such a mess in a log

why do you block icmp packets?

Quote:
Jan 25 21:40:22 gewooneenkoeienprodbox dhcpcd[3749]: enp2s0: dhcp_sendpacket: Operation not permitted


why do you need to sniff your own network?

Quote:
Jan 25 22:37:01 gewooneenkoeienprodbox kernel: device enp2s0 left promiscuous mode


how comes that your software randomly crashes? HArdware broken? bad compiler flags?

--

you should not mess around with your installation, use sane flags, and proper maintained hardware.

when you want security, keep sotware to a bare minimum. more packages = more issues = more things to fix = more hidden security flaws...

check your dhcp or set fixed values when you can not allow those icmp packets.

and use proper network names, not these new unreadable network names, which no one really knows what is what

when you dont need it, dont install it or set flags for it

i hardly know anyone who really needs ipv6

Quote:
Jan 26 02:05:59 gewooneenkoeienprodbox dhcpcd[3571]: enp2s0: no IPv6 Routers available
Back to top
View user's profile Send private message
squirrelsoup
Tux's lil' helper
Tux's lil' helper


Joined: 29 Dec 2016
Posts: 98

PostPosted: Thu Jan 26, 2017 4:47 pm    Post subject: Reply with quote

Hello Roman_Gruber, thank you for looking at my logs,

# Whats up with your hardware / software clock?
the hardware/bios clock is always 1 hour behind on the system clock, so if i set the right time in bios, it automatically goes back 1 hour back in time after booting.

# Is this a broken installation, not well maintained one?
i think because of my lack of knowledge about gentoo, a not well maintained one.

# Also wahts up with those cron jobs regularly spamming in the log?
i think that is because i installed cronnie and added it to the default runlevel, but have never set it up.
for now i removed cronie, do i really need it anyway?

# why do you block icmp packets?
on my ufw firewall i block all in and out packets except: 443 udp/tcp - 53 udp/tcp - 80 tcp - 8080 tcp, so i need to open up any other ports?

# why do you need to sniff your own network?
i have no idea about this one.

# how comes that your software randomly crashes? HArdware broken? bad compiler flags?
yesterday i deselected a lot of modules in the genkernel to make it lighter, that could be the reason for the crash?
for now i will use a default genkernel setup, and i will not touch it until i learn more about gentoo.

# check your dhcp or set fixed values when you can not allow those icmp packets.
i have no idea how to do this.

# and use proper network names, not these new unreadable network names, which no one really knows what is what
it is readable in Dutch :)

# i hardly know anyone who really needs ipv6
i have no idea how to turn of ipv6
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1691

PostPosted: Thu Jan 26, 2017 7:13 pm    Post subject: Reply with quote

Quote:
on my ufw firewall i block all in and out packets except: 443 udp/tcp - 53 udp/tcp - 80 tcp - 8080 tcp, so i need to open up any other ports?


On your firewall, are you actually hosting a website on your system? This is different from you are wanting to browse the web, in that when you browse/surf the web your system uses a random port for the source socket, which is addressed to the web server's port 80/443/etc for the destination address.

Note: socket is your IP address and port number.

As far as blocking ICMP, not all ICMP packets are a threat, some of them you need to make sure is only originate from inside your network.

Quote:
# Whats up with your hardware / software clock?
the hardware/bios clock is always 1 hour behind on the system clock, so if i set the right time in bios, it automatically goes back 1 hour back in time after booting.

This is sounding like an issue of one clocks is set to run on local time and the other running on UTC time.

https://wiki.gentoo.org/wiki/System_time
Back to top
View user's profile Send private message
lexflex
Guru
Guru


Joined: 05 Mar 2006
Posts: 343
Location: the Netherlands

PostPosted: Thu Jan 26, 2017 7:44 pm    Post subject: Reply with quote

squirrelsoup wrote:

# why do you need to sniff your own network?
i have no idea about this one.

You are using Wireshark:
Code:
an 25 20:45:55 gewooneenkoeienprodbox gpasswd[872]: user wtfuberkoeindebox added by root to group wireshark
Jan 25 20:46:01 gewooneenkoeienprodbox newgrp[882]: user 'root' (login 'wtfuberkoeindebox' on pts/0) switched to group 'wireshark'

So you must be contemplating looking into some network traffic.



PS: what is up with the cows ?
Back to top
View user's profile Send private message
squirrelsoup
Tux's lil' helper
Tux's lil' helper


Joined: 29 Dec 2016
Posts: 98

PostPosted: Thu Jan 26, 2017 8:35 pm    Post subject: Reply with quote

i have a stable network so i do not wish to allow ICMP trough the firewall, i will just ignore the error output in the log

yes i used wireshark so that explains
as far as the topic of this threat i suspect the system crash happened because i was building a custom fit kernel, i can not find the system crash in the log, so i am not 100% sure
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1691

PostPosted: Thu Jan 26, 2017 9:11 pm    Post subject: Reply with quote

Quote:
i have a stable network so i do not wish to allow ICMP trough the firewall, i will just ignore the error output in the log


Having a stable network and saying you don't need to look at the notification messages is saying the same as you have a working car and don't need to check the oil or add fuel to it. ICMP has several types, and some of them is generally a good thing to have on, while others is safe to ignore. When you look at IPv6, it uses ICMP quite heavily for a good portion of the functionality (IPv6 is enabled by default for Windows machines). I can see if you want to block ICMP-Echo Request (pings coming in, Echo Reply is answering the ping) so you can't ping to your machine, but can ping from the machine. Where as, ICMP-Time Exceeded or Destination Unreachable is generally something you should allow, as it says that you were unable to get to the destination... Then you have ICMP-Redirect is something you should not accept from outside your network (or at all) as that tells your system to redirect your traffic to somewhere else (easy Man in Middle attack)...
Back to top
View user's profile Send private message
squirrelsoup
Tux's lil' helper
Tux's lil' helper


Joined: 29 Dec 2016
Posts: 98

PostPosted: Thu Jan 26, 2017 11:08 pm    Post subject: Reply with quote

about wireshark being in prominous mode or something does that mean i am more vulnerable ?

with ufw you can block icmp in and out also for v6 which i think stands for ipv6
Back to top
View user's profile Send private message
squirrelsoup
Tux's lil' helper
Tux's lil' helper


Joined: 29 Dec 2016
Posts: 98

PostPosted: Mon Jan 30, 2017 1:16 pm    Post subject: Reply with quote

Question: does wireshark in prominous mode make the system more vulnerable?
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Mon Jan 30, 2017 11:09 pm    Post subject: Reply with quote

Less ebuilds installed, less software running is always the better choice.

wireshark is a very intrusive tool.

kicked iproute2, anything ruby related, recently from my box because its lint in my point of view.

I do not use software which i do not unterstand => systemd => kde is also very buggy => gnome is very buggy
I recommend that you avoid those big packages, where you can see on the ebuilds they are too lazy to set ebuild dependencies, or which just pull in a big rat tail of packages. => k3b is the best example over many years.

--

When I really need a software I will install and build it, my ivybridge i7 notebook cpu is powerful enough. I'm not fond of having software which is hardly in use.

I encountered recently less fuss from portage because I have less of those fuss makers installed.

I am also not fond of ipv6. do not use it when you do not need it for example. i still have ipv4 from my isp, and therefore why should i compile, bother with ipv6 than? i learnt about ipv4 years ago, i coded with / for ipv4. that ipv6 makes just things too complicated.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum