Question about UDP Block of port 67

[Volox]

I'm using cPanel 106.0.11 along with csf 14.17
I'm seeing a fair number of blocks occurring on UDP port 67 at a fairly steady pace.

Is there something in cPanel that is trying to connect out on this port such that I ought to enable it in csf?
Or is this indicative of a compromise and I need to dig for where I'm compromised?

Here are the log entries redacted. When I say "[base address of network block]" as the destination, it's the x.x.x.1 address of the subnet my machine is attached to.

[ 2875.905731] Firewall: *UDP_OUT Blocked* IN= OUT=ens6 SRC=[my machine's interface IP] DST=[base address of network block] LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=7972 DF PROTO=UDP SPT=68 DPT=67 LEN=308 UID=0 GID=0
[ 2880.997335] Firewall: *UDP_OUT Blocked* IN= OUT=ens7 SRC=[my machine's interface IP] DST=[base address of network block] LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=8890 DF PROTO=UDP SPT=68 DPT=67 LEN=308 UID=0 GID=0
[ 2885.237968] Firewall: *UDP_OUT Blocked* IN= OUT=ens5 SRC=[my machine's interface IP] DST=[base address of network block] LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=52627 DF PROTO=UDP SPT=68 DPT=67 LEN=308 UID=0 GID=0
[ 2890.754769] Firewall: *UDP_OUT Blocked* IN= OUT=ens6 SRC=[my machine's interface IP] DST=[base address of network block] LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=16156 DF PROTO=UDP SPT=68 DPT=67 LEN=308 UID=0 GID=0

 

[cPRex]

Hey there! cPanel doesn't use port 67 for anything, so while I can't tell you what it is, I can confirm it's not us trying to do any operations with the server.

 

[Volox]

Any suggestions on how I figure out what's creating these attempts?

 

[cPRex]

While there may not be one perfect tool for this situation, a combination of lsof to see what files are open and netstat to see where the traffic is originating from should help you narrow it down a bit.

Check UDP connections:

lsof -i udp

and hopefully that shows something if the process is actively running. tcpdump could also be a good resource as well to catch traffic in real-time.

 

[Volox]

This looks like it's coming from dhclient. Kind of surprised I'm the first one asking about this if that's the case.

My understanding (which could be wrong) is that for proper configuration on AWS EC2, the interfaces had to be left to DHCP which would mean dhclient would need to be running. Is there another way to do this that removes that requirement? Or do others who run on AWS just add 67 to the allow list in csf ?

 

[cPRex]

I can't speak to the AWS side of things, but if that needs to be running you may want to just whitelist it in CSF.