keat63

Well-Known Member
Nov 20, 2014
1,854
226
93
cPanel Access Level
Root Administrator
I've come in to work this morning to absolutely hundreds of these.

Mar 9 09:27:28 xxxxxx kernel: [4030020.000033] Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=54.77.18.96 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=1919 PROTO=UDP SPT=40446 DPT=53 LEN=68 UID=25 GID=25
Mar 9 09:27:28 xxxxxx kernel: [4030020.000161] Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=54.77.36.154 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=16401 PROTO=UDP SPT=48644 DPT=53 LEN=68 UID=25 GID=25

From what I can gather unopened source ports on my server have been trying to connect to port 53 on servers elsewhere.
But why ??

Incidentally, 99% of them seem to be going to 54.x.x.x
IP Lookup would indicate Amazonaws
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,854
226
93
cPanel Access Level
Root Administrator
I don't profess to understand any of this stuff, but I ran
netstat -ntu | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It showed by 3 results, one of which had 11 connections.
I did a quick whois on the IP and it resulted back to CN, so I put a temporary block on CN in CSF.

It's too early to say if this was the cause, but i was seeing these every 5 minutes, Its now been about 30 minutes since, and still watching to see if another one hits.
 

keat63

Well-Known Member
Nov 20, 2014
1,854
226
93
cPanel Access Level
Root Administrator
Thinking it might be some sort of DNS sppof I checked recursive DNS, but this is reporting as OK.

Good. Your nameservers (the ones reported by the parent server) do not report that they allow recursive queries for anyone.

I'm stumped.
 

keat63

Well-Known Member
Nov 20, 2014
1,854
226
93
cPanel Access Level
Root Administrator
After spending countless hours, trying many ssh commands from untold forums etc, I think I may have found this.
It seems that we have a CSF entry 54.77.0.0/16 in a vain attempt to blockout some of these AmazonAWS things we keep seeing.
I'm assuming that 54.77.x.x must also contain a number of DNS servers, and it's these servers that my DNS is unable to talk to because of the firewall rule.

It makes sense I guess, so I removed the rule and will monitor for a few hours.