The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Confused about outgoing packets being dropped by APF

Discussion in 'General Discussion' started by damainman, Jan 22, 2005.

  1. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    Over the past few days I've noticed a steadily increasing spike of dropped outbound packets in APF, originating from my server.

    Today in my logwatch email it states the following:

    "Dropped 594 packets on interface eth0 From xxx.xxx.x.x - 593 packets"

    The normal amount of dropped packets has always been around 20 packets or so which has been for over 8 months, but I've been noticing a increase in outbound packets being dropped.

    Looking at logwatch, i can see that the outgoing packets that are being dropped are being sent to multiple ip's and multiple ports. It ranges from 1 to 30 packets to each IP.. with each packet being sent to a different port.

    This worried me as to me it looked as if my server was possibly trying to do port scans, or may have some type of worm or trojan running. I've been trying for days to try and find the source of this issue. So i ran chrootkit and rookithuner, as well as clamav scans

    I've asked both my DC and my server management company if they can help me solve this problem and maybe investigate it further.

    My DC said that I shouldn't be worried because that is a small amount of packets being dropped, and it's most likely due to the increasing amount of traffic comming from my server. To investigate the issue further, I would be charged. So i asked if they can atleast give me an idea or something on what might be the cause. Here is what they said "

    Now this was confusing me because both my DC and my management company was saying this is normal, and not to worry about it. To me it doesn't look like normal behavior for the server to just be sending out packets to random IP's and ports(That are closed by the firewall).

    Well I had the server management company look into it further, but as I said..they said it was normal too. However they made some adjustments to APF to see if it would've solved the issue, but the problem didn't go away.

    Then they tried what my DC said above, and replied back to me with this:
    I'm running a RHE/Cpanel/Fantastico server.

    My questions are basically:

    1. Is this abnormal behavior for a webserver, or am i just being paranoid?
    2. Is there anyway to find out whats causing the packets to be sent out, and track the origin?
    3. What would you do in this situation?

    Thank you in advance for all replies.
     
    #1 damainman, Jan 22, 2005
    Last edited: Jan 22, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    1. Probably normal
    2. Yes
    3. I'd do 2 ;)

    OK, rather than go to the lengths that your DC is suggesting, you really need to just check the logs in /var/logs/messages with something like:

    grep OUT_ messages

    If you have iptables logging enabled, this will probably produce a nice stream of the actual log messages that logwatch abbreviates. The pertinent information in each line is:

    SRC= should be an IP address on your server
    DST= the IP where the failed connection was going to
    PROTO= UDP or TCP protocol
    SPT= this is the source port on your server and the most important
    DPT= port on the DST it was trying to connect to

    From the DPT you should be able to establish where the connection originates from (e.g. 80 for apache, 53 for bind, etc). If you could paste a sample in here, it would be easier to pass judgement.
     
  3. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    Thank for responding chirpy :)

    Offtopic:

    While running TOP i seen the following processes running as root:

    mdadm --monitor --scan -f
    mdmpd
    mdmpd
    mdrecoveryd


    I looked up the proceses on google, and from what i gather its used for RAID devices/software. However I'm not using RAID on my server..is that normal?
     
    #3 damainman, Jan 22, 2005
    Last edited: Jan 22, 2005
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It is normal for those processes to be running, however if you're not using RAID you can safely stop and disable them:

    /etc/init.d/mdmpd stop
    /etc/init.d/mdmonitor stop
    chkconfig mdmpd off
    chkconfig mdmonitor off


    WRT the firewall, do you use APF? If so, do you have the following set in /etc/apf/conf.apf:

    DROP_LOG="1"
    EXLOG="1"
     
  5. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    Yes those are in my apf config.. with the same setting as you have.. and uncommented.
     
  6. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    Okay today i received the logwatch report for yesturday and the dropped outgoing packets jumped to: 2801 :confused:
     
  7. JP-HOST

    JP-HOST Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Roscoe, IL, USA
    try grep OUT_ /var/log/messages :cool:
     
Loading...
Similar Threads - Confused outgoing packets
  1. keat63
    Replies:
    6
    Views:
    210
  2. MaRiOsGR66
    Replies:
    1
    Views:
    158

Share This Page