I got this from my server:

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
May 6 13:04:21 myserver portsentry[16550]: attackalert: Unknown Type: TCP Packet Flags: SYN: 0 FIN: 0 ACK: 0 PSH: 0 URG: 1 RST: 0 from host: wp74-175.introweb.nl/62.165.74.175 to TCP port: 0
May 6 13:04:21 myserver portsentry[16550]: attackalert: Host 62.165.74.175 has been blocked via wrappers with string: "ALL: 62.165.74.175"
May 6 13:04:21 myserver portsentry[16550]: attackalert: Host 62.165.74.175 has been blocked via dropped route using command: "/sbin/iptables -I INPUT -s 62.165.74.175 -j DROP"

Security Violations
=-=-=-=-=-=-=-=-=-=
May 6 13:04:21 myserver portsentry[16550]: attackalert: Unknown Type: TCP Packet Flags: SYN: 0 FIN: 0 ACK: 0 PSH: 0 URG: 1 RST: 0 from host: wp74-175.introweb.nl/62.165.74.175 to TCP port: 0
May 6 13:04:21 myserver portsentry[16550]: attackalert: Host 62.165.74.175 has been blocked via wrappers with string: "ALL: 62.165.74.175"
May 6 13:04:21 myserver portsentry[16550]: attackalert: Host 62.165.74.175 has been blocked via dropped route using command: "/sbin/iptables -I INPUT -s 62.165.74.175 -j DROP"


What should I do with this. I don't know if this is related, but the server is just amazingly slow from here (looks like I'm on a 56k), and I keep getting "apache failed" messages but it appears to be up everytime I look... Hope you can help, I'm pretty lost here.

It looks like your server is defending itself. You could try mod_dosevasive but, that will break frontpage.

Looks like you just ride this one out. ;)

Definitely sounds like PortSentry is doing what it should and letting you know about it. To stop the reports from being sent you can manaully enter the IP block:

/sbin/iptables -I INPUT -s 62.165.74.175 -j DROP

so it will happen automatically.

Thanks guys, glad to hear the system is doing its job correctly, but any thoughts about the speed problem and the "apache failed" message I keep getting about every 30 minutes... I have a lot of traffic right now, but the sevrer load is at around 0.15 and the memory % at 9.6 so this should not affect the speed of the server... When I look at my pages from here, it just looks like I'm on a 56k!!

Well, if you are continually being DoS'ed and having PortSentry do the IP table drop for you, it's very likely Apache is still being overloaded. That is one reason why I suggested you manually input the IP drop.

Not sure about your 'speed problem' as not enough information is available to provide a decent answer. Could be related to the DoS'ing though, which you won't know unless you tail Apache error log.

is apf installed ?

What says apache failed? Cpanel? If so it usually restarted by the time you got that email. Maybe you should monitor apache so you may catch it as it crashes. I woulld read the error_logs to get ideas...

Looks like I've found what causes apache to fail:
May 6 12:01:00 myserver kernel: IDENT: IN=eth0 OUT= MAC=00:30:48:42:75:3e:00:05:dc:e7:38:ca:08:00 SRC=207.134.105.2 DST=xx.xx.x.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=1750 DF PROTO=TCP SPT=50784 DPT=113 WINDOW=65535 RES=0x00 SYN URGP=0

Funny thing the SRC ip is probably a neighbor. It's ip is from the same (not so know) ISP. I'll check that out...

BaddaBing, no, APF is not installed, but the sevrer was setup by easy server management which uses standard iptables...

That's just an ident packet. It wouldn't have any effect on Apache.

Originally posted by dan_erat
That's just an ident packet. It wouldn't have any effect on Apache.

OK. It matches the time of the apache failed messages. I checked my logs about an hour ago, and all the IDENT packet matched the apache failed messages...