too many tcp ip blocked in messages log

upsforum

Well-Known Member
Jul 27, 2005
473
0
166
I have too many logs in /var/log/messages but I don't understand what are

Code:
Nov 21 23:39:47 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=23.228.237.42 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=0 DF PROTO=TCP SPT=1612 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:39:48 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=114.24.206.111 DST=[MY SERVER IP] LEN=52 TOS=0x00 PREC=0x00 TTL=108 ID=5321 DF PROTO=TCP SPT=1244 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:39:52 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=137.175.4.59 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=28126 DF PROTO=TCP SPT=4718 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:39:53 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=23.228.237.42 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=2403 DF PROTO=TCP SPT=1612 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:39:54 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=114.24.206.111 DST=[MY SERVER IP] LEN=52 TOS=0x00 PREC=0x00 TTL=108 ID=7275 DF PROTO=TCP SPT=1244 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:39:58 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=198.2.202.149 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=31922 DF PROTO=TCP SPT=2981 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:01 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=46.232.228.172 DST=[MY SERVER IP] LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=64421 DF PROTO=TCP SPT=54009 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 21 23:40:04 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=198.2.202.149 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=1919 DF PROTO=TCP SPT=2981 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:04 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=46.232.228.172 DST=[MY SERVER IP] LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=64422 DF PROTO=TCP SPT=54009 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 21 23:40:05 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=109.236.84.144 DST=[MY SERVER IP] LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=17849 DF PROTO=TCP SPT=54147 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 21 23:40:08 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=109.236.84.144 DST=[MY SERVER IP] LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=19211 DF PROTO=TCP SPT=54147 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 21 23:40:09 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=137.175.4.9 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=27025 DF PROTO=TCP SPT=3988 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:11 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=198.13.116.60 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=21088 DF PROTO=TCP SPT=1394 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:12 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=192.184.38.186 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=17916 DF PROTO=TCP SPT=2222 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:14 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=137.175.4.61 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15374 DF PROTO=TCP SPT=1173 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:16 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=31.220.4.17 DST=[MY SERVER IP] LEN=52 TOS=0x10 PREC=0x40 TTL=55 ID=42916 PROTO=TCP SPT=50291 DPT=3128 WINDOW=14600 RES=0x00 SYN URGP=0
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

It shows most of those connections are to port 3128. Do you have any services running on that port? It's not necessarily an attack on your system, but you may want to install/configure a firewall such as CSF if you have not done so already and are simply using iptables rules.

Thank you.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
I use CSF but 3128 is disabled, I tried with psa but not is active daemon o software on this port
Indeed, you get those messages because someone is trying to connect to a port closed by your firewall.

If you don't want to see those messages in the log you can add that port in DROP_NOLOG.
 
  • Like
Reactions: eugenevdm.host

eugenevdm.host

Active Member
Oct 21, 2019
41
5
8
Cape Town
cPanel Access Level
DataCenter Provider
Indeed, you get those messages because someone is trying to connect to a port closed by your firewall.

If you don't want to see those messages in the log you can add that port in DROP_NOLOG.
Hi there, I'm a newbie to CSF. My logs display these messages for ports 12504, 1433, 29977, etc.

Could you guide me to:

1. What is the syntax for DROP_NOLOG for a specific port, e.g. block port 1433?

2. How can I see a list of *all* ports that are currently blocked?
 

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
Hi there, I'm a newbie to CSF. My logs display these messages for ports 12504, 1433, 29977, etc.

Could you guide me to:

1. What is the syntax for DROP_NOLOG for a specific port, e.g. block port 1433?

2. How can I see a list of *all* ports that are currently blocked?
1. in CSF -> Firewall Configuration -> Logging Settings -> DROP_NOLOG

2. CSF blocks ALL ports, and then opens ports you specify in CSF -> Firewall Configuration -> IPv4 Port Settings -> TCP_IN
 

eugenevdm.host

Active Member
Oct 21, 2019
41
5
8
Cape Town
cPanel Access Level
DataCenter Provider
thanks a lot man, I found the documentation for the firewall and created a paranoid DROP_NOLOG list so that the log file can be more quiet:

DROP_NOLOG= "2:19,23:24,27:36,38:42,44:52,54:79,81:109,111:112,114:142,144:442,444:464,466:578,580:586,588:782,784:872,874:992,994,996:2076,2081,2084:2085,2088,2090:2094,2097:2194,2196:2702,2704:3305,3307:6276,6278:24440,24442:65535"

The firewall documentation is here:

The tricky part is the documentation lists all the ports in numerical order, then takes a detour at `2703` so I had to be a bit careful.

Also be aware if you've hidden your SSL port, you might have to adjust the above slightly.

[Moderator Note: Links to third-party websites are not permitted]
 
Last edited: