The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/proc/net/nf_conntrack more than 60K lines

Discussion in 'Security' started by postcd, Dec 3, 2015.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    Hello,

    my cpanel server is on the OpenVZ VPS and i do:

    wc -l /proc/net/nf_conntrack
    sysctl net.netfilter.nf_conntrack_count && sysctl net.nf_conntrack_max
    tail & head on /proc/net/nf_conntrack

    shows connection like this one (ESTABLISHED, ASSURED)

    Apacheshows that many different IPs (800+) trying to connect one web directory (which is empty), the connection speed can be like 5 IPs per second.

    cat /etc/sysctl.conf | grep =
    i tried to add these lines into above file, but conntrack table do not decrease:
    net.netfilter.nf_conntrack_tcp_timeout_established = 600
    net.netfilter.nf_conntrack_generic_timeout = 120
    then i tried # sysctl -p
    # sysctl -a | grep conn | grep time
    I want to ask for kind advice how can anyhow secure server to prevent such high number of lines in connection tracking table? And if i can temporarily clean that table, how?

    Thank you
     
    #1 postcd, Dec 3, 2015
    Last edited: Dec 3, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may want to consult with your VPS hosting provider so they can verify the values you are modifying are suitable for the OpenVZ environment your VPS is hosted on.

    Thank you.
     
  3. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
Loading...

Share This Page