The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LogWatch : kernel error question

Discussion in 'General Discussion' started by morrow95, Oct 8, 2006.

  1. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Well, just got my latest logwatch email and found the following :

    --------------------- Kernel Begin ------------------------

    WARNING: Kernel Errors Present
    xxx.xxx.xxx.xxx sent an invalid ICMP type 11, code 1 error to a broadcast: ...: 1Time(s)

    ---------------------- Kernel End -------------------------


    Aside from the normal incorrect SSH attempts to login I have never seen something mentioned for the kernel before. Can anyone explain what exactly this error shows and should I be concerned?
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    This message means that somebody is pinging your server by crafting these ICMP 11 packets. Not to worry much about these messages, and just in case, you can install APF/BFD to stop further attacks on your server.
     
  3. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Andy for the quick response. I just changed to a new server and all the 'support' of the server is on my hands unlike before so its a good learning process for me right now.

    As far as the brute force attempts I removed shell access to all users except root and enabled ssh keys required for login. This has dramatically cut down on bf attempts, however, I see people are still trying to connect just now it only shows the name because they do not have the chance to enter a password.

    I have looked into BFD, but at least to me it sounds that down the road (as more IP's were banned) you might start banning legitimate people from accessing your websites. Is this correct thinking?
     
  4. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    No, BFD purges itself occasionally.

    As an alternate to APF/BFD, you might want to look at CSF. Config Server Firewall is a nice package put together by chirpy from these forums and configserver.com. I used APF/BFD for quite a while but have now been using CSF since it was first in beta.
     
  5. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Just installed CSF after reading it is pretty popular with everyone. Ran through the security check and have a 59/64 with basically the only things I'm warned about dealing with php (not really important for me since I am the ONLY person with accounts on this dedicated).

    Really easy to setup. I also changed the default ssh port and removed ssh1 and only use 2 now.

    Are there any other little tips you would recommend I setup in CSF settings? So far, the only thing I might change down the road is the email alerts everytime a failed login occurs, BUT since I changed the port that might not happen as much anymore.

    Question for you though, say someone DOES find what port I changed SSH to and tries to brute in again... wouldn't this trip my sent out email flood interval for the hour?
     
  6. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page