The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF: TCP_OUT Blocked

Discussion in 'Security' started by GoWilkes, Oct 11, 2013.

  1. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I've been having a problem for a few days with sites on my server having intermittent lag time. After a lot of digging, I've isolated the problem down to CSF v. 6.36 (I disabled it entirely, and no more lag time).

    From 10/1/13 until now, only 3 IPs from the United States have been blocked, and they were obviously hack attempts, so I don't think that's the issue. The most suspicious thing is a ton of these in /var/log/messages:

    Code:
    Oct 10 21:07:06 server01 kernel: Firewall: *TCP_OUT Blocked* IN= OUT=bond0 SRC=x.x.x.2 DST=x.x.x.223 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31611 DF PROTO=TCP SPT=50653 DPT=48002 WINDOW=5840 RES=0x00 SYN URGP=0 UID=0
    
    Code:
    Oct 11 00:41:12 server01 kernel: Firewall: *UDP_OUT Blocked* IN= OUT=bond0 SRC=x.x.x.2 DST=255.255.255.255 LEN=220 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=52315 DPT=48002 LEN=200 UID=0 
    
    I'm seeing 100 lines in 13 minutes at almost 1am, and almost all of them are like these.

    There's nothing suspicious in /tmp/, and a Quick Security Scan, ClamAV, and scan with rkhunter found no problems.

    What do I do here? Is this an issue of a port being closed that should be open, or a port being open that should be closed? Or should one of those two IPs be denied? Or something else?
     
    #1 GoWilkes, Oct 11, 2013
    Last edited: Oct 11, 2013
  2. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Quick update, the two IPs do belong to my server provider, so I definitely shouldn't block them. But in that case, I'm clueless on what to do.

    Should I simply add port 48002 to the TCP_OUT list?
     
    #2 GoWilkes, Oct 11, 2013
    Last edited: Oct 11, 2013
  3. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you check CSF's config and look for USE_CONNTRACK
    It should be 0.

    If you have set it to 1, it may cause problems.
    Due to buggy version it will make outgoing calls using random ports, not via protocol that's being used. (For example outgoing PHP call would not be port 80, but something 5046464).

    Let me know if that was the cause.
     
  4. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    No, I have USE_CONNTRACK at 0.

    I added the range of ports 48000:48020 to both TCP_OUT and UDP_OUT, which seems to have solved the problem. This seems like a bad solution, though, and doesn't explain why the problem started with no apparent reason, but for now it has resolved the lag time.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    669
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page