too many tcp ip blocked in messages log
I have too many logs in /var/log/messages but I don't understand what are
Nov 21 23:39:47 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=23.228.237.42 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=0 DF PROTO=TCP SPT=1612 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:39:48 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=114.24.206.111 DST=[MY SERVER IP] LEN=52 TOS=0x00 PREC=0x00 TTL=108 ID=5321 DF PROTO=TCP SPT=1244 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:39:52 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=137.175.4.59 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=28126 DF PROTO=TCP SPT=4718 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:39:53 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=23.228.237.42 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=2403 DF PROTO=TCP SPT=1612 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:39:54 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=114.24.206.111 DST=[MY SERVER IP] LEN=52 TOS=0x00 PREC=0x00 TTL=108 ID=7275 DF PROTO=TCP SPT=1244 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:39:58 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=198.2.202.149 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=31922 DF PROTO=TCP SPT=2981 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:01 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=46.232.228.172 DST=[MY SERVER IP] LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=64421 DF PROTO=TCP SPT=54009 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 21 23:40:04 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=198.2.202.149 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=1919 DF PROTO=TCP SPT=2981 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:04 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=46.232.228.172 DST=[MY SERVER IP] LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=64422 DF PROTO=TCP SPT=54009 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 21 23:40:05 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=109.236.84.144 DST=[MY SERVER IP] LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=17849 DF PROTO=TCP SPT=54147 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 21 23:40:08 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=109.236.84.144 DST=[MY SERVER IP] LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=19211 DF PROTO=TCP SPT=54147 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 21 23:40:09 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=137.175.4.9 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=27025 DF PROTO=TCP SPT=3988 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:11 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=198.13.116.60 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=21088 DF PROTO=TCP SPT=1394 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:12 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=192.184.38.186 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=17916 DF PROTO=TCP SPT=2222 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:14 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=137.175.4.61 DST=[MY SERVER IP] LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15374 DF PROTO=TCP SPT=1173 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 21 23:40:16 vps10 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=99:99:99:99:22:4a:00:08:e3:ff:fd:90:08:00 SRC=31.220.4.17 DST=[MY SERVER IP] LEN=52 TOS=0x10 PREC=0x40 TTL=55 ID=42916 PROTO=TCP SPT=50291 DPT=3128 WINDOW=14600 RES=0x00 SYN URGP=0
-
Hello :) It shows most of those connections are to port 3128. Do you have any services running on that port? It's not necessarily an attack on your system, but you may want to install/configure a firewall such as CSF if you have not done so already and are simply using iptables rules. Thank you. 0 -
I use CSF but 3128 is disabled, I tried with psa but not is active daemon o software on this port 0 -
rDNS of these ip are all on psychz.net 0 -
[quote="upsforum, post: 1513731">I use CSF but 3128 is disabled, I tried with psa but not is active daemon o software on this port
Indeed, you get those messages because someone is trying to connect to a port closed by your firewall. If you don't want to see those messages in the log you can add that port in DROP_NOLOG.0 -
Indeed, you get those messages because someone is trying to connect to a port closed by your firewall. If you don't want to see those messages in the log you can add that port in DROP_NOLOG.
Hi there, I'm a newbie to CSF. My logs display these messages for ports 12504, 1433, 29977, etc. Could you guide me to: 1. What is the syntax for DROP_NOLOG for a specific port, e.g. block port 1433? 2. How can I see a list of *all* ports that are currently blocked?0 -
Hi there, I'm a newbie to CSF. My logs display these messages for ports 12504, 1433, 29977, etc. Could you guide me to: 1. What is the syntax for DROP_NOLOG for a specific port, e.g. block port 1433? 2. How can I see a list of *all* ports that are currently blocked?
1. in CSF -> Firewall Configuration -> Logging Settings -> DROP_NOLOG 2. CSF blocks ALL ports, and then opens ports you specify in CSF -> Firewall Configuration -> IPv4 Port Settings -> TCP_IN0 -
thanks a lot man, I found the documentation for the firewall and created a paranoid DROP_NOLOG list so that the log file can be more quiet: DROP_NOLOG= "2:19,23:24,27:36,38:42,44:52,54:79,81:109,111:112,114:142,144:442,444:464,466:578,580:586,588:782,784:872,874:992,994,996:2076,2081,2084:2085,2088,2090:2094,2097:2194,2196:2702,2704:3305,3307:6276,6278:24440,24442:65535" The firewall documentation is here: 0
Please sign in to leave a comment.
Comments
7 comments