Mageia forum

[jaywalker]

I would love to have some help to do two things; stop mandi from writing "skipping known address: xxx.xxx.xxx.xxx" into the journal every second and understand why it is happening in the first place.

My best guess at stopping it is to disable mandi. If I knew why it is happening I may be able to do something about that instead. Generally speaking I would prefer to have an interactive firewall as the pop-up notifications are often useful, so disabling mandi is not my first choice.

On the other hand, this behaviour is very ... anti-social. The messages appear benign, but still they are being written with crazed persistence which is suggestive of a real problem. It is hard enough to keep the size of the journal under control without a manic process scribbling inanities into it - 3600 times per hour!

Any help gratefully received...

Richard

[doktor5000]

Could you show one such message completely and also mention what IP adress that is, if it's a local one from your LAN or a remote one.
Please also show the output as root of

Code: Select all

journalctl -ab| grep -iE "mandi|ifw"

FWIW, another Mageia user seems to have the same messages: https://forum.owncloud.org/viewtopic.php?t=31757
He's also registered here so you could ask him directly: memberlist.php?mode=viewprofile&u=1038

[jaywalker]

First things first. The address is a local one. It is one of two Mageia 5 desktops at this location which are both running x2go sessions for me. I am using these sessions from a third room in the house. Both "remote" sessions have sound enabled. As I still (+2 years and counting) have not mastered the documented method of tunnelling x2go session sound over ssh I have configured my local firewall to accept 4713/tcp connections and I get acceptable performance from both of the "remote" desktops on my LAN.

The full text of the error message written by mandi - specifically in

static void process_attack(plugin_t *, DBusConnection *, int, msg_usr_t *)

- is as quoted, where the xxx address is, in my case, 192.168.1.80.

The extra stuff is just the usual added in the journal; date/time, host name and process name/id. The process is, of course, mandi.

The strange thing is that right at this moment I have unattended sessions (x2go) running on both of the other Mageia 5 desktops but only one of them is spamming my journal. I begin to suspect some difference in the way the x2go connections for the remote servers have been configured, but there is nothing obvious.

The conditions under which mandi will fire off this message, which despite its casual appearance appears to be intended as an attack warning, are difficult to determine without a closer analysis of the workings of mandi, but on the face of it it seems to be any address which has already appeared in things called the black list, the white list and the report list - that looks quite comprehensive. The question now seems to be why does one remote x2go session produce the response from mandi whilst the other one does not?

For completeness I ran your suggested command

Code: Select all

journalctl -ab| grep -iE "mandi|ifw"

but there is little point in reporting the result here as at this moment it results only in 2311 lines of the type already described covering the time from 15:05:13 to 15:43:44. The first two lines are:

Code: Select all

Mar 06 15:05:12 attica.local kernel: IFWLOG: register target
Mar 06 15:05:13 attica.local mandi[2232]: skipping known address: 192.168.1.80

Would you agree that one of these two x2go sessions is producing connection attempts to my local pusle audio which look to mandi like attacks?

Richard

PS. I saw that Owncloud stuff yesterday but found it hard to understand as I have no knowledge of Owncloud or its use in a LAN.

[doktor5000]

Well, I don't use mandi myself and I don't know what the devices on your network are doing, so cannot help you with that.
You could try to add those two hosts to /etc/ifw/whitelist or via the GUI.

I've asked on of the developers that worked on mandi previously to take a look at this, if you're lucky he might drop by.