Results 1 to 7 of 7
Thread: Crazy syslog message on SSH
-
02-09-2014, 10:02 AM #1Web Hosting Guru
- Join Date
- Apr 2010
- Posts
- 270
Crazy syslog message on SSH
Hey guys,
I'm getting the following massage 100+ times a minute and unable to stop it.
It preventing me to access SSH and run ssh commands.
Code:Message from syslogd@***at Feb 9 17:08:38 ... kernel:[2645464.138196] nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=36.80.15.85 DST=95.48.29.11 LEN=53 TOS=0x10 PREC=0x00 TTL=64 ID=50794 DF PROTO=TCP SPT=21 DPT=13490 SEQ=2790617378 ACK=292684928 WINDOW=14600 RES=0x00 ACK PSH FIN URGP=0
I also tried to update kernel but I failed everytime due to this crazy message.
Any idea would be greatly appreciatedLast edited by Rezaa; 02-09-2014 at 10:06 AM.
-
02-09-2014, 10:10 AM #2Newbie
- Join Date
- Feb 2014
- Posts
- 18
Seems you have been attacked on ftp port 21. The log message suggest that you are logging the drop of output packets in iptables. I would suggest:
1. Add an input rule to drop packets to port 21 from the attacking IP (95.48.29...) in your log.
2. To prevent the flood of syslog messages, rate limit the iptables logging to e.g. 5 per minute.
-
02-09-2014, 10:20 AM #3Web Hosting Guru
- Join Date
- Apr 2010
- Posts
- 270
Thank you hwdsl2 but the source IP is mine.
By the way, I've blocked the destination IP few days ago but the messages are still comming up faster and faster!
May I know the exact instruction to rate limit the iptables logging?
-
02-09-2014, 10:28 AM #4Newbie
- Join Date
- Feb 2014
- Posts
- 18
To limit logging you can change your existing logging rule in the iptables output chain to:
-A OUTPUT -m limit –limit 5/min -j LOG
To change the rules temporarily without rebooting, you can use
iptables-save -c > tempfile1
Then use nano or vim to edit tempfile1, change that log rule mentioned above, and next run
iptables-restore -c < tempfile1
The -c switch saves your current packet counters.Last edited by howardsl2; 02-09-2014 at 10:32 AM.
-
02-09-2014, 11:15 AM #5Newbie
- Join Date
- Feb 2014
- Posts
- 18
By the way, if you want to learn more about using IPTables to secure your server, I recently wrote up a detailed HOW-TO. It was written for Asterisk server, however all instructions can be applied to any Linux server except for that one section on Asterisk. Link to my tutorial:
https://blog.ls20.com/securing-your-...with-iptables/
I hope you will find it helpful!
-
02-10-2014, 12:59 PM #6Web Hosting Guru
- Join Date
- Apr 2010
- Posts
- 270
I found that CSF is causing this issue
I've disbaled csf for a few minutes and the messages are stopped
Thanks God
-
02-10-2014, 03:28 PM #7WHT Addict
- Join Date
- Jan 2014
- Posts
- 159
CSF is a good firewall. I don't recommend disabling it. It seems you may have incorrect rules in your configuration. Please try reinstalling csf which should fix your issue.
Similar Threads
-
login message for ssh
By anthony0112 in forum Dedicated ServerReplies: 5Last Post: 12-14-2004, 06:36 PM -
How to send message in ssh ?
By justbenice in forum Hosting Security and TechnologyReplies: 6Last Post: 07-07-2004, 12:41 AM -
What does this error message mean in SSH?
By I, Brian in forum Web HostingReplies: 13Last Post: 12-26-2003, 02:16 PM -
Display a message to SSH users
By TheRazor in forum Hosting Security and TechnologyReplies: 4Last Post: 10-23-2001, 05:31 PM