On my CentOS box that I use mainly as a web server, I have iptables set to log and reject anything that I don't expect. So lately, I have getting things like this: Mar 29 17:27:20 mbrc20 kernel: IPT-DROP IN= OUT=lo SRC=192.168.9.20 DST=192.168.9.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46910 DF PROTO=TCP SPT=56624 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 OPT (0204400C0402080A4A26F7A50000000001030307) UID=0 that on at least one occasion repeated for every few seconds for more than three hours. The ephemeral source port keeps changing in an irregular manner. Any suggestions? Thanks, Mike
Michael D. Berger wrote:> On my CentOS box that I use mainly as a web server, I have iptables > set to log and reject anything that I don't expect. So lately, > I have getting things like this: > > > Mar 29 17:27:20 mbrc20 kernel: IPT-DROP IN= OUT=lo SRC=192.168.9.20 > DST=192.168.9.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46910 DF PROTO=TCP > SPT=56624 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 OPT > (0204400C0402080A4A26F7A50000000001030307) UID=0 > > that on at least one occasion repeated for every few seconds for > more than three hours. The ephemeral source port keeps changing in an > irregular manner.<snip> Not great on this, but *if* I understand it, it's saying that the IP address of your server is 192.168.9.20, and it's talking to itself, at destination port 80 - apache, that would be. mark
On 1.4.2011 17:20, Michael D. Berger wrote:> On my CentOS box that I use mainly as a web server, I have iptables > set to log and reject anything that I don't expect. So lately, > I have getting things like this: > > > Mar 29 17:27:20 mbrc20 kernel: IPT-DROP IN= OUT=lo SRC=192.168.9.20 > DST=192.168.9.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46910 DF PROTO=TCP > SPT=56624 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 OPT > (0204400C0402080A4A26F7A50000000001030307) UID=0 > > that on at least one occasion repeated for every few seconds for > more than three hours. The ephemeral source port keeps changing in an > irregular manner. > > Any suggestions?Too restrictive OUT=lo This is the loopback device! Add a rule that allows traffic from and to lo -- Kind Regards, Markus Falb -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 307 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20110401/0ff1ffc6/attachment.sig>
On Fri, 01 Apr 2011 22:10:58 +0200, Markus Falb wrote: [...]>> Mar 29 17:27:20 mbrc20 kernel: IPT-DROP IN= OUT=lo SRC=192.168.9.20 >> DST=192.168.9.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46910 DF PROTO=TCP >> SPT=56624 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 OPT >> (0204400C0402080A4A26F7A50000000001030307) UID=0 >>[...]> Too restrictive > OUT=lo > This is the loopback device! > Add a rule that allows traffic from and to loWhat sort of thing might be using it? It only shows up every day or two. Mike.