CSF: TCP_OUT Blocked
I've been having a problem for a few days with sites on my server having intermittent lag time. After a lot of digging, I've isolated the problem down to CSF v. 6.36 (I disabled it entirely, and no more lag time).
From 10/1/13 until now, only 3 IPs from the United States have been blocked, and they were obviously hack attempts, so I don't think that's the issue. The most suspicious thing is a ton of these in /var/log/messages:
I'm seeing 100 lines in 13 minutes at almost 1am, and almost all of them are like these. There's nothing suspicious in /tmp/, and a Quick Security Scan, ClamAV, and scan with rkhunter found no problems. What do I do here? Is this an issue of a port being closed that should be open, or a port being open that should be closed? Or should one of those two IPs be denied? Or something else?
Oct 10 21:07:06 server01 kernel: Firewall: *TCP_OUT Blocked* IN= OUT=bond0 SRC=x.x.x.2 DST=x.x.x.223 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31611 DF PROTO=TCP SPT=50653 DPT=48002 WINDOW=5840 RES=0x00 SYN URGP=0 UID=0
Oct 11 00:41:12 server01 kernel: Firewall: *UDP_OUT Blocked* IN= OUT=bond0 SRC=x.x.x.2 DST=255.255.255.255 LEN=220 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=52315 DPT=48002 LEN=200 UID=0
I'm seeing 100 lines in 13 minutes at almost 1am, and almost all of them are like these. There's nothing suspicious in /tmp/, and a Quick Security Scan, ClamAV, and scan with rkhunter found no problems. What do I do here? Is this an issue of a port being closed that should be open, or a port being open that should be closed? Or should one of those two IPs be denied? Or something else?
-
Quick update, the two IPs do belong to my server provider, so I definitely shouldn't block them. But in that case, I'm clueless on what to do. Should I simply add port 48002 to the TCP_OUT list? 0 -
Hello, Could you check CSF's config and look for USE_CONNTRACK It should be 0. If you have set it to 1, it may cause problems. Due to buggy version it will make outgoing calls using random ports, not via protocol that's being used. (For example outgoing PHP call would not be port 80, but something 5046464). Let me know if that was the cause. 1 -
No, I have USE_CONNTRACK at 0. I added the range of ports 48000:48020 to both TCP_OUT and UDP_OUT, which seems to have solved the problem. This seems like a bad solution, though, and doesn't explain why the problem started with no apparent reason, but for now it has resolved the lag time. 0 -
Hello :) You may also want to report this issue on the CSF support forums in order to receive more input from the product developers. Thank you. 0
Please sign in to leave a comment.
Comments
4 comments