Results 1 to 7 of 7
  1. #1
    Join Date
    Apr 2010
    Posts
    270

    Crazy syslog message on SSH

    Hey guys,

    I'm getting the following massage 100+ times a minute and unable to stop it.
    It preventing me to access SSH and run ssh commands.
    Code:
    Message from syslogd@***at Feb  9 17:08:38 ...
     kernel:[2645464.138196] nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=36.80.15.85 DST=95.48.29.11 LEN=53 TOS=0x10 PREC=0x00 TTL=64 ID=50794 DF PROTO=TCP SPT=21 DPT=13490 SEQ=2790617378 ACK=292684928 WINDOW=14600 RES=0x00 ACK PSH FIN URGP=0
    The SRC IP is the main IP of my server.
    I also tried to update kernel but I failed everytime due to this crazy message.

    Any idea would be greatly appreciated
    Last edited by Rezaa; 02-09-2014 at 10:06 AM.

  2. #2
    Seems you have been attacked on ftp port 21. The log message suggest that you are logging the drop of output packets in iptables. I would suggest:

    1. Add an input rule to drop packets to port 21 from the attacking IP (95.48.29...) in your log.

    2. To prevent the flood of syslog messages, rate limit the iptables logging to e.g. 5 per minute.

  3. #3
    Join Date
    Apr 2010
    Posts
    270
    Thank you hwdsl2 but the source IP is mine.
    By the way, I've blocked the destination IP few days ago but the messages are still comming up faster and faster!
    May I know the exact instruction to rate limit the iptables logging?

  4. #4
    To limit logging you can change your existing logging rule in the iptables output chain to:

    -A OUTPUT -m limit –limit 5/min -j LOG

    To change the rules temporarily without rebooting, you can use
    iptables-save -c > tempfile1
    Then use nano or vim to edit tempfile1, change that log rule mentioned above, and next run
    iptables-restore -c < tempfile1

    The -c switch saves your current packet counters.
    Last edited by howardsl2; 02-09-2014 at 10:32 AM.

  5. #5
    By the way, if you want to learn more about using IPTables to secure your server, I recently wrote up a detailed HOW-TO. It was written for Asterisk server, however all instructions can be applied to any Linux server except for that one section on Asterisk. Link to my tutorial:

    https://blog.ls20.com/securing-your-...with-iptables/

    I hope you will find it helpful!

  6. #6
    Join Date
    Apr 2010
    Posts
    270
    I found that CSF is causing this issue
    I've disbaled csf for a few minutes and the messages are stopped

    Thanks God

  7. #7
    CSF is a good firewall. I don't recommend disabling it. It seems you may have incorrect rules in your configuration. Please try reinstalling csf which should fix your issue.

Similar Threads

  1. login message for ssh
    By anthony0112 in forum Dedicated Server
    Replies: 5
    Last Post: 12-14-2004, 06:36 PM
  2. How to send message in ssh ?
    By justbenice in forum Hosting Security and Technology
    Replies: 6
    Last Post: 07-07-2004, 12:41 AM
  3. What does this error message mean in SSH?
    By I, Brian in forum Web Hosting
    Replies: 13
    Last Post: 12-26-2003, 02:16 PM
  4. Display a message to SSH users
    By TheRazor in forum Hosting Security and Technology
    Replies: 4
    Last Post: 10-23-2001, 05:31 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •