LogWatch : kernel error question

[morrow95]

Well, just got my latest logwatch email and found the following :

--------------------- Kernel Begin ------------------------

WARNING: Kernel Errors Present
xxx.xxx.xxx.xxx sent an invalid ICMP type 11, code 1 error to a broadcast: ...: 1Time(s)

---------------------- Kernel End -------------------------


Aside from the normal incorrect SSH attempts to login I have never seen something mentioned for the kernel before. Can anyone explain what exactly this error shows and should I be concerned?

 

[AndyReed]

xxx.xxx.xxx.xxx sent an invalid ICMP type 11, code 1 error to a broadcast: ...: 1Time(s)

This message means that somebody is pinging your server by crafting these ICMP 11 packets. Not to worry much about these messages, and just in case, you can install APF/BFD to stop further attacks on your server.

 

[morrow95]

Thanks Andy for the quick response. I just changed to a new server and all the 'support' of the server is on my hands unlike before so its a good learning process for me right now.

As far as the brute force attempts I removed shell access to all users except root and enabled ssh keys required for login. This has dramatically cut down on bf attempts, however, I see people are still trying to connect just now it only shows the name because they do not have the chance to enter a password.

I have looked into BFD, but at least to me it sounds that down the road (as more IP's were banned) you might start banning legitimate people from accessing your websites. Is this correct thinking?

 

[verdon]

No, BFD purges itself occasionally.

As an alternate to APF/BFD, you might want to look at CSF. Config Server Firewall is a nice package put together by chirpy from these forums and configserver.com. I used APF/BFD for quite a while but have now been using CSF since it was first in beta.

 

[morrow95]

Just installed CSF after reading it is pretty popular with everyone. Ran through the security check and have a 59/64 with basically the only things I'm warned about dealing with php (not really important for me since I am the ONLY person with accounts on this dedicated).

Really easy to setup. I also changed the default ssh port and removed ssh1 and only use 2 now.

Are there any other little tips you would recommend I setup in CSF settings? So far, the only thing I might change down the road is the email alerts everytime a failed login occurs, BUT since I changed the port that might not happen as much anymore.

Question for you though, say someone DOES find what port I changed SSH to and tries to brute in again... wouldn't this trip my sent out email flood interval for the hour?

 

[verdon]

Try this thread for CSF support.

http://forums.cpanel.net/showthread.php?t=53511