GoWilkes

Well-Known Member
Sep 26, 2006
491
12
168
cPanel Access Level
Root Administrator
I've been having a problem for a few days with sites on my server having intermittent lag time. After a lot of digging, I've isolated the problem down to CSF v. 6.36 (I disabled it entirely, and no more lag time).

From 10/1/13 until now, only 3 IPs from the United States have been blocked, and they were obviously hack attempts, so I don't think that's the issue. The most suspicious thing is a ton of these in /var/log/messages:

Code:
Oct 10 21:07:06 server01 kernel: Firewall: *TCP_OUT Blocked* IN= OUT=bond0 SRC=x.x.x.2 DST=x.x.x.223 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31611 DF PROTO=TCP SPT=50653 DPT=48002 WINDOW=5840 RES=0x00 SYN URGP=0 UID=0
Code:
Oct 11 00:41:12 server01 kernel: Firewall: *UDP_OUT Blocked* IN= OUT=bond0 SRC=x.x.x.2 DST=255.255.255.255 LEN=220 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=52315 DPT=48002 LEN=200 UID=0
I'm seeing 100 lines in 13 minutes at almost 1am, and almost all of them are like these.

There's nothing suspicious in /tmp/, and a Quick Security Scan, ClamAV, and scan with rkhunter found no problems.

What do I do here? Is this an issue of a port being closed that should be open, or a port being open that should be closed? Or should one of those two IPs be denied? Or something else?
 
Last edited:

GoWilkes

Well-Known Member
Sep 26, 2006
491
12
168
cPanel Access Level
Root Administrator
Quick update, the two IPs do belong to my server provider, so I definitely shouldn't block them. But in that case, I'm clueless on what to do.

Should I simply add port 48002 to the TCP_OUT list?
 
Last edited:

simonas

Well-Known Member
Apr 21, 2013
141
0
16
Lithuania
cPanel Access Level
Root Administrator
Hello,

Could you check CSF's config and look for USE_CONNTRACK
It should be 0.

If you have set it to 1, it may cause problems.
Due to buggy version it will make outgoing calls using random ports, not via protocol that's being used. (For example outgoing PHP call would not be port 80, but something 5046464).

Let me know if that was the cause.
 

GoWilkes

Well-Known Member
Sep 26, 2006
491
12
168
cPanel Access Level
Root Administrator
No, I have USE_CONNTRACK at 0.

I added the range of ports 48000:48020 to both TCP_OUT and UDP_OUT, which seems to have solved the problem. This seems like a bad solution, though, and doesn't explain why the problem started with no apparent reason, but for now it has resolved the lag time.