Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How do I trace and resolve TCP_OUT Blocked messages?

Discussion in 'General Discussion' started by DigitalEssence, Jun 11, 2019.

  1. DigitalEssence

    DigitalEssence Well-Known Member

    Joined:
    May 21, 2014
    Messages:
    46
    Likes Received:
    4
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi,

    I'm seeing a lot of TCP_OUT Blocked messages in /var/log/messages to one IP address and want to trace and resolve if possible but I am struggling to find how to do this despite searching on this forum and in Google.

    The message I am seeing is:

    Jun 11 13:08:10 squirrel kernel: [59327.411526] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MY.SERVER.IP.ADDRESS DST=AN.EXTERNAL.IP.ADDRESS LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1837 DF PROTO=TCP SPT=52852 DPT=4506 WINDOW=14600 RES=0x00 SYN URGP=0 UID=0 GID=0
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
  3. DigitalEssence

    DigitalEssence Well-Known Member

    Joined:
    May 21, 2014
    Messages:
    46
    Likes Received:
    4
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thanks,

    That's given me a web address but I'm not sure how I proceed to find out what is trying to connect to it.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,459
    Likes Received:
    503
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    You could use netstat while it's occurring to see if you can see which service is connecting:

    For example if I wanted to see what was connected to port 587 I'd run:

    Code:
    [[email protected] etc]# netstat -plan |grep 587
    tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      11429/exim
    tcp6       0      0 :::587                  :::*                    LISTEN      11429/exim
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. DigitalEssence

    DigitalEssence Well-Known Member

    Joined:
    May 21, 2014
    Messages:
    46
    Likes Received:
    4
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thanks Lauren.

    I ran

    Code:
    netstat -plan | grep 178.79.140.52

    And that gives me:


    Code:
    tcp        0      1 MY.SERVER.IP.ADDRESS:47600         178.79.140.52:4506          SYN_SENT    7800/python2.7
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,459
    Likes Received:
    503
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @DigitalEssence

    So that tells us that python is the service and the PID is 7800 (or was at the time)

    You'd have to look further into the PID if you're not sure what's using python:

    lsof will give you files opened by the process:

    Code:
    lsof -p PID 
    ps will get you a snapshot of the process:
    Code:
    ps faux |grep PID
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice