p0f Too many host entries, deleting

CreateChange

Member
Apr 30, 2019
10
1
3
Denver, CO
cPanel Access Level
Root Administrator
Is the following output in our /var/log/messages log of any concern?

Code:
2019 Aug 16 22:41:27 (cpanel-6) ->/var/log/messages Aug 16 17:41:25 cpanel-6 p0f: [!] WARNING: Too many host entries, deleting 1001. Use -m to adjust.
2019 Aug 16 22:41:27 (cpanel-6) ->/var/log/messages Aug 16 17:41:26 cpanel-6 p0f: [!] WARNING: Too many host entries, deleting 1001. Use -m to adjust.
2019 Aug 16 22:41:27 (cpanel-6) ->/var/log/messages Aug 16 17:41:27 cpanel-6 p0f: [!] WARNING: Too many host entries, deleting 1001. Use -m to adjust.
2019 Aug 16 22:41:29 (cpanel-6) ->/var/log/messages Aug 16 17:41:27 cpanel-6 p0f: [!] WARNING: Too many host entries, deleting 1001. Use -m to adjust.
2019 Aug 16 22:41:29 (cpanel-6) ->/var/log/messages Aug 16 17:41:28 cpanel-6 p0f: [!] WARNING: Too many host entries, deleting 1001. Use -m to adjust.
2019 Aug 16 22:41:29 (cpanel-6) ->/var/log/messages Aug 16 17:41:29 cpanel-6 p0f: [!] WARNING: Too many host entries, deleting 1001. Use -m to adjust.
2019 Aug 16 22:41:31 (cpanel-6) ->/var/log/messages Aug 16 17:41:29 cpanel-6 p0f: [!] WARNING: Too many host entries, deleting 1001. Use -m to adjust.
2019 Aug 16 22:41:31 (cpanel-6) ->/var/log/messages Aug 16 17:41:30 cpanel-6 p0f: [!] WARNING: Too many host entries, deleting 1001. Use -m to adjust.
2019 Aug 16 22:41:31 (cpanel-6) ->/var/log/messages Aug 16 17:41:31 cpanel-6 p0f: [!] WARNING: Too many host entries, deleting 1001. Use -m to adjust.
2019 Aug 16 22:41:33 (cpanel-6) ->/var/log/messages Aug 16 17:41:31 cpanel-6 p0f: [!] WARNING: Too many host entries, deleting 1001. Use -m to adjust.
I came across this thread: https://forums.cpanel.net/threads/too-many-tracked-connections-p0f-warnings-messages.538791/ that says that basically it will just autoprune old data and move on. However, I'm curious if there is anything to be concerned about, in regards to there being apparently a ton of hostname data being collected in a very short span of time.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
This message indicates that p0f is reaching its cap of how many hosts/connections it is tracking. Once the limit is reached, the oldest 10% entries gets pruned to make room for new data. This setting helps to control the memory footprint of p0f. I don't believe these messages are necessarily a cause for concern, but they could indicate this server is receiving an increased amount of traffic.

There is also typically no need to bump threads, we look at every open thread in the order it's received. If you need immediate assistance, I'd suggest opening a ticket where there is dedicated staff available 24/7 to assist.