I've been having a problem for a few days with sites on my server having intermittent lag time. After a lot of digging, I've isolated the problem down to CSF v. 6.36 (I disabled it entirely, and no more lag time).
From 10/1/13 until now, only 3 IPs from the United States have been blocked, and they were obviously hack attempts, so I don't think that's the issue. The most suspicious thing is a ton of these in /var/log/messages:
I'm seeing 100 lines in 13 minutes at almost 1am, and almost all of them are like these.
There's nothing suspicious in /tmp/, and a Quick Security Scan, ClamAV, and scan with rkhunter found no problems.
What do I do here? Is this an issue of a port being closed that should be open, or a port being open that should be closed? Or should one of those two IPs be denied? Or something else?
From 10/1/13 until now, only 3 IPs from the United States have been blocked, and they were obviously hack attempts, so I don't think that's the issue. The most suspicious thing is a ton of these in /var/log/messages:
Code:
Oct 10 21:07:06 server01 kernel: Firewall: *TCP_OUT Blocked* IN= OUT=bond0 SRC=x.x.x.2 DST=x.x.x.223 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31611 DF PROTO=TCP SPT=50653 DPT=48002 WINDOW=5840 RES=0x00 SYN URGP=0 UID=0
Code:
Oct 11 00:41:12 server01 kernel: Firewall: *UDP_OUT Blocked* IN= OUT=bond0 SRC=x.x.x.2 DST=255.255.255.255 LEN=220 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=52315 DPT=48002 LEN=200 UID=0There's nothing suspicious in /tmp/, and a Quick Security Scan, ClamAV, and scan with rkhunter found no problems.
What do I do here? Is this an issue of a port being closed that should be open, or a port being open that should be closed? Or should one of those two IPs be denied? Or something else?
Last edited:
