SSH console kernel messages
-
- Posts: 4
- Joined: 2019/04/08 14:07:36
SSH console kernel messages
I'm using Centos 6, and SSH console is flooded with kernel messages:
Message from syslogd@server at Apr 8 16:42:00 ...
kernel:[545536.542131] nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=..... DST=..... LEN=65 TOS=0x10 PREC=0x00 TTL=64 ID=65256 DF PROTO=TCP SPT=21 DPT=49012 SEQ=3506371794 ACK=2873199576 WINDOW=14600 RES=0x00 ACK PSH FIN URGP=0 OPT (0101050AAB418BD7AB418BD8)
Message from syslogd@server at Apr 8 16:42:01 ...
kernel:[545537.048406] nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=...... DST=..... LEN=53 TOS=0x10 PREC=0x00 TTL=64 ID=65257 DF PROTO=TCP SPT=21 DPT=49012 SEQ=3506371794 ACK=2873199576 WINDOW=14600 RES=0x00 ACK PSH FIN URGP=0
What it is and how do I make it stop?
Thanks in advance for your help.
Message from syslogd@server at Apr 8 16:42:00 ...
kernel:[545536.542131] nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=..... DST=..... LEN=65 TOS=0x10 PREC=0x00 TTL=64 ID=65256 DF PROTO=TCP SPT=21 DPT=49012 SEQ=3506371794 ACK=2873199576 WINDOW=14600 RES=0x00 ACK PSH FIN URGP=0 OPT (0101050AAB418BD7AB418BD8)
Message from syslogd@server at Apr 8 16:42:01 ...
kernel:[545537.048406] nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=...... DST=..... LEN=53 TOS=0x10 PREC=0x00 TTL=64 ID=65257 DF PROTO=TCP SPT=21 DPT=49012 SEQ=3506371794 ACK=2873199576 WINDOW=14600 RES=0x00 ACK PSH FIN URGP=0
What it is and how do I make it stop?
Thanks in advance for your help.
Re: SSH console kernel messages
They're not ssh messages. In fact they're not even anything to do with ssh.
They are iptables log rules. You have your system set up with a set of iptables firewall rules and one (or more) is set to log when they match. Run iptables-save and look for -j LOG lines and review those to see which are required.
They are iptables log rules. You have your system set up with a set of iptables firewall rules and one (or more) is set to log when they match. Run iptables-save and look for -j LOG lines and review those to see which are required.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 4
- Joined: 2019/04/08 14:07:36
Re: SSH console kernel messages
Could be this iptables rules?
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 10/min -j LOG --log-prefix "DROP: " --log-level 7
-A LOGGING -j DROP
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 10/min -j LOG --log-prefix "DROP: " --log-level 7
-A LOGGING -j DROP
Re: SSH console kernel messages
Well, maybe. From the "nf_ct_ftp:" in each of the examples you gave, I would expect there to be a line which does something similar but includes --log-prefix "nf_ct_ftp: ". But, yes, those are iptables log lines and someone has deliberately created a rule that logs those. Either they want them or they didn't realise how much output it might create!
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: SSH console kernel messages
That looks like an outgoing packet that is probably a reply from ftp server on this machine to some remote ftp client.
Outgoing packets do not visit the INPUT chain.
-
- Posts: 4
- Joined: 2019/04/08 14:07:36
Re: SSH console kernel messages
I check iptables config and there isn't any line that includes "nf_ct_ftp:"....TrevorH wrote: ↑2019/04/10 16:13:15Well, maybe. From the "nf_ct_ftp:" in each of the examples you gave, I would expect there to be a line which does something similar but includes --log-prefix "nf_ct_ftp: ". But, yes, those are iptables log lines and someone has deliberately created a rule that logs those. Either they want them or they didn't realise how much output it might create!
I found some more research and i found this explanations:
https://loginroot.com/wp/getting-rid-of ... -messages/
Could be a possible solutions?
I also check /etc/rsyslog.conf
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
Code: Select all
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
kern.debug /var/log/iptables
kern.* -/var/log/kern.log
Re: SSH console kernel messages
Post the output from iptables-save
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 4
- Joined: 2019/04/08 14:07:36
Re: SSH console kernel messages
Code: Select all
# Generated by iptables-save v1.4.7 on Wed May 29 10:56:39 2019
*nat
:PREROUTING ACCEPT [4449115:293465242]
:POSTROUTING ACCEPT [1793125:125653840]
:OUTPUT ACCEPT [1793125:125653840]
COMMIT
# Completed on Wed May 29 10:56:39 2019
# Generated by iptables-save v1.4.7 on Wed May 29 10:56:39 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [272849:423718602]
:LOGGING - [0:0]
:acctboth - [0:0]
:cpanel-dovecot-solr - [0:0]
:cphulk - [0:0]
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 2083 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 2087 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j cphulk
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1167 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p udp -m udp --dport 44120:44139 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m multiport --dports 22,2083,2087,3306,2096 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m multiport --dports 22,2083,2087,3306,2096 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m multiport --dports 22,2083,2087,3306,2096 -j ACCEPT
-A INPUT -d 127.0.0.1/32 -p tcp -j ACCEPT
-A INPUT -j LOGGING
-A OUTPUT -j cpanel-dovecot-solr
-A LOGGING -m limit --limit 10/min -j LOG --log-prefix "DROP: " --log-level 7
-A LOGGING -j DROP
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 80
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 80
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 25
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 25
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 110
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 110
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 143
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 143
-A acctboth -s x.x.x.x/32 ! -i lo -p icmp
-A acctboth -d x.x.x.x/32 ! -i lo -p icmp
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp
-A acctboth -s x.x.x.x/32 ! -i lo -p udp
-A acctboth -d x.x.x.x/32 ! -i lo -p udp
-A acctboth -s x.x.x.x/32 ! -i lo
-A acctboth -d x.x.x.x/32 ! -i lo
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 80
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 80
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 25
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 25
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 110
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 110
-A acctboth -s x.x.x.x/32 ! -i lo -p icmp
-A acctboth -d x.x.x.x/32 ! -i lo -p icmp
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp
-A acctboth -s x.x.x.x/32 ! -i lo -p udp
-A acctboth -d x.x.x.x/32 ! -i lo -p udp
-A acctboth -s x.x.x.x/32 ! -i lo
-A acctboth -d x.x.x.x/32 ! -i lo
-A acctboth ! -i lo
-A cpanel-dovecot-solr -p tcp -m multiport --sports 8984,7984 -m owner --uid-owner cpanelsolr -j ACCEPT
-A cpanel-dovecot-solr -p tcp -m multiport --sports 8984,7984 -m owner --uid-owner root -j ACCEPT
-A cpanel-dovecot-solr -p tcp -m multiport --sports 8984,7984 -j REJECT --reject-with icmp-port-unreachable
-A cphulk -s x.x.x.x/32 -m state --state NEW -m time --datestop 2019-05-29T13:45:48 --utc -j DROP
-A cphulk -s x.x.x.x/32 -m state --state NEW -m time --datestop 2019-05-29T14:20:24 --utc -j DROP
-A cphulk -s x.x.x.x/32 -m state --state NEW -m time --datestop 2019-05-29T16:34:52 --utc -j DROP
-A cphulk -s x.x.x.x/32 -m state --state NEW -m time --datestop 2019-05-30T00:14:39 --utc -j DROP
-A cphulk -s x.x.x.x/32 -m state --state NEW -m time --datestop 2019-05-30T07:09:57 --utc -j DROP
COMMIT
# Completed on Wed May 29 10:56:39 2019