# gentoo system crash

## squirrelsoup

today while i was playing online game my gentoo boxed crashed hard i had to hard reset it, the keyboard and mouse did not respond.

i have been customizing the genkernel slightly however i am not sure if my gentoo box got hacked.

i have little knowledge about Linux, can someone look into my log files to see what caused to system crash?

Xorg.0.log - https://paste.pound-python.org/show/J116odahtRl6rAogke8Q/

messages - https://paste.pound-python.org/show/MVILFdVzy2MJYZpUF4nJ/

dmesg - https://paste.pound-python.org/show/wOILcrL5TisvmTlVSzBD/

genkernel.log - https://paste.pound-python.org/show/qnQjAvu0kEcExvvXbskr/

i also noticed this is my aide check:

```
Directory: /lib64/rc/console

 Mtime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52

 Ctime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52

File: /lib64/rc/console/keymap

 Mtime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52

 Ctime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52

File: /lib64/rc/console/unicode

 Mtime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52

 Ctime    : 2017-01-26 05:36:55              , 2017-01-26 12:19:52

```

did my box got pwned or did something else caused the system crash?Last edited by squirrelsoup on Thu Jan 26, 2017 12:48 pm; edited 1 time in total

----------

## lexflex

Hi,

Isn't it more likely the system overheated during gaming ?

Btw, if you say 'online game'  , do you mean an ' in browser' game ? 

Maybe start monitoring your temperature and see if the systems stays cool enough when playing...

Alex.

----------

## squirrelsoup

its not browser game, its a client that runs on openGL, i regularly check lm_sensors for temperature, but at the moment the crash happened i did not check but i doubt anything temperature related.

i was however vacuum cleaning my desk near my computer at the time of the crash.

also recently i noticed that the game client (runescape) at crowded in game places hogs up to 5GB ram out of 8GB ram installed, usually what happens is that it kills the game client, however now i had entire system crash.

because of my paranoia i instantly think about a remotely cracked computer.

----------

## NeddySeagoon

squirrelsoup,

We have had this discussion before.  You should reread your previous thread.

----------

## squirrelsoup

yes Neddy, i have read the previous thread very closely, and for me it boils down to: you never know if you got hacked.

in this particular case, i wonder what have caused the system crash, because that does not seem healthy for the system.

i will change the topic title now.

----------

## Roman_Gruber

 *Quote:*   

> Jan 25 22:07:02 gewooneenkoeienprodbox kernel: 
> 
> Jan 25 22:07:34 gewooneenkoeienprodbox gpasswd[20830]: user wtfuberkoeindebox added by root to group video
> 
> Jan 25 21:08:36 gewooneenkoeienprodbox shutdown[20844]: shutting down for system reboot
> ...

 

Whats up with your hardware / software clock?

Is this a broken installation, not well maintained one?

 *Quote:*   

> Jan 25 21:10:50 gewooneenkoeienprodbox pulseaudio[3921]: [pulseaudio] authkey.c: Failed to open cookie file '/home/wtfuberkoeindebox/.config/pulse/cookie': No such file or directory

 

 *Quote:*   

> Jan 25 22:02:52 gewooneenkoeienprodbox dhcpcd[3749]: enp2s0: failed to renew DHCP, rebinding

 

Also wahts up with those cron jobs regularly spamming in the log?

I never saw such a mess in a log

why do you block icmp packets?

 *Quote:*   

> Jan 25 21:40:22 gewooneenkoeienprodbox dhcpcd[3749]: enp2s0: dhcp_sendpacket: Operation not permitted

 

why do you need to sniff your own network?

 *Quote:*   

> Jan 25 22:37:01 gewooneenkoeienprodbox kernel: device enp2s0 left promiscuous mode

 

how comes that your software randomly crashes? HArdware broken? bad compiler flags?

--

you should not mess around with your installation, use sane flags, and proper maintained hardware.

when you want security, keep sotware to a bare minimum. more packages = more issues = more things to fix = more hidden security flaws...

check your dhcp or set fixed values when you can not allow those icmp packets.

and use proper network names, not these new unreadable network names, which no one really knows what is what

when you dont need it, dont install it or set flags for it

i hardly know anyone who really needs ipv6

 *Quote:*   

> Jan 26 02:05:59 gewooneenkoeienprodbox dhcpcd[3571]: enp2s0: no IPv6 Routers available

 

----------

## squirrelsoup

Hello Roman_Gruber, thank you for looking at my logs,

# Whats up with your hardware / software clock?

the hardware/bios clock is always 1 hour behind on the system clock, so if i set the right time in bios, it automatically goes back 1 hour back in time after booting. 

# Is this a broken installation, not well maintained one? 

i think because of my lack of knowledge about gentoo, a not well maintained one.

# Also wahts up with those cron jobs regularly spamming in the log?

i think that is because i installed cronnie and added it to the default runlevel, but have never set it up.

for now i removed cronie, do i really need it anyway?

# why do you block icmp packets?

on my ufw firewall i block all in and out packets except: 443 udp/tcp - 53 udp/tcp - 80 tcp - 8080 tcp, so i need to open up any other ports?

# why do you need to sniff your own network?

i have no idea about this one.

# how comes that your software randomly crashes? HArdware broken? bad compiler flags? 

yesterday i deselected a lot of modules in the genkernel to make it lighter, that could be the reason for the crash?

for now i will use a default genkernel setup, and i will not touch it until i learn more about gentoo.

# check your dhcp or set fixed values when you can not allow those icmp packets.

i have no idea how to do this.

# and use proper network names, not these new unreadable network names, which no one really knows what is what

it is readable in Dutch  :Smile: 

# i hardly know anyone who really needs ipv6 

i have no idea how to turn of ipv6

----------

## ct85711

 *Quote:*   

> on my ufw firewall i block all in and out packets except: 443 udp/tcp - 53 udp/tcp - 80 tcp - 8080 tcp, so i need to open up any other ports? 

 

On your firewall, are you actually hosting a website on your system?  This is different from you are wanting to browse the web, in that when you browse/surf the web your system uses a random port for the source socket, which is addressed to the web server's port 80/443/etc for the destination address.

Note:  socket is your IP address and port number.

As far as blocking ICMP, not all ICMP packets are a threat, some of them you need to make sure is only originate from inside your network.

 *Quote:*   

> # Whats up with your hardware / software clock?
> 
> the hardware/bios clock is always 1 hour behind on the system clock, so if i set the right time in bios, it automatically goes back 1 hour back in time after booting. 

 

This is sounding like an issue of one clocks is set to run on local time and the other running on UTC time.

https://wiki.gentoo.org/wiki/System_time

----------

## lexflex

 *squirrelsoup wrote:*   

> 
> 
> # why do you need to sniff your own network?
> 
> i have no idea about this one.
> ...

 

You are using Wireshark:

```
an 25 20:45:55 gewooneenkoeienprodbox gpasswd[872]: user wtfuberkoeindebox added by root to group wireshark

Jan 25 20:46:01 gewooneenkoeienprodbox newgrp[882]: user 'root' (login 'wtfuberkoeindebox' on pts/0) switched to group 'wireshark'

```

So you must be contemplating looking into some network traffic.

PS: what is up with the cows ?

----------

## squirrelsoup

i have a stable network so i do not wish to allow ICMP trough the firewall, i will just ignore the error output in the log

yes i used wireshark so that explains

as far as the topic of this threat i suspect the system crash happened because i was building a custom fit kernel, i can not find the system crash in the log, so i am not 100% sure

----------

## ct85711

 *Quote:*   

> i have a stable network so i do not wish to allow ICMP trough the firewall, i will just ignore the error output in the log 

 

Having a stable network and saying you don't need to look at the notification messages is saying the same as you have a working car and don't need to check the oil or add fuel to it.  ICMP has several types, and some of them is generally a good thing to have on, while others is safe to ignore.  When you look at IPv6, it uses ICMP quite heavily for a good portion of the functionality (IPv6 is enabled by default for Windows machines).  I can see if you want to block ICMP-Echo Request (pings coming in, Echo Reply is answering the ping) so you can't ping to your machine, but can ping from the machine.  Where as, ICMP-Time Exceeded or Destination Unreachable is generally something you should allow, as it says that you were unable to get to the destination...  Then you have ICMP-Redirect is something you should not accept from outside your network (or at all) as that tells your system to redirect your traffic to somewhere else (easy Man in Middle attack)...

----------

## squirrelsoup

about wireshark being in prominous mode or something does that mean i am more vulnerable ?

with ufw you can block icmp in and out also for v6 which i think stands for ipv6

----------

## squirrelsoup

Question: does wireshark in prominous mode make the system more vulnerable?

----------

## Roman_Gruber

Less ebuilds installed, less software running is always the better choice.

wireshark is a very intrusive tool. 

kicked iproute2, anything ruby related, recently from my box because its lint in my point of view.

I do not use software which i do not unterstand => systemd => kde is also very buggy => gnome is very buggy

I recommend that you avoid those big packages, where you can see on the ebuilds they are too lazy to set ebuild dependencies, or which just pull in a big rat tail of packages. => k3b is the best example over many years. 

--

When I really need a software I will install and build it, my ivybridge i7 notebook cpu is powerful enough. I'm not fond of having software which is hardly in use.

I encountered recently less fuss from portage because I have less of those fuss makers installed.

I am also not fond of ipv6. do not use it when you do not need it for example. i still have ipv4 from my isp, and therefore why should i compile, bother with ipv6 than? i learnt about ipv4 years ago, i coded with / for ipv4. that ipv6 makes just things too complicated.

----------

