Huge amount of tracking Hit

[Neutrall]

I'm currently having a huge amount of port tracking hit on one server : Sample Hit message :

Code: Select all

Sample of port hits:
Aug 12 08:12:49 web17 kernel: [1806705.123486] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19088 DF PROTO=TCP SPT=50260 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 Aug 12 08:12:51 web17 kernel: [1806707.557155] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21432 DF PROTO=TCP SPT=50265 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 Aug 12 08:12:53 web17 kernel: [1806709.715005] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46839 DF PROTO=TCP SPT=50268 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 Aug 12 08:12:56 web17 kernel: [1806712.814366] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63289 DF PROTO=TCP SPT=50274 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 Aug 12 08:12:58 web17 kernel: [1806714.962974] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58868 DF PROTO=TCP SPT=50281 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 Aug 12 08:13:01 web17 kernel: [1806717.807515] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35205 DF PROTO=TCP SPT=50282 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 Aug 12 08:13:04 web17 kernel: [1806720.614834] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54717 DF PROTO=TCP SPT=50287 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 Aug 12 08:13:07 web17 kernel: [1806723.168327] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18195 DF PROTO=TCP SPT=50293 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 Aug 12 08:13:10 web17 kernel: [1806726.969762] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37088 DF PROTO=TCP SPT=50302 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 Aug 12 08:13:13 web17 kernel: [1806729.550216] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39901 DF PROTO=TCP SPT=50308 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 Aug 12 08:13:15 web17 kernel: [1806731.855894] Firewall: *TCP_OUT Blocked* IN= OUT=eth3 SRC=174.142.183.40 DST=69.46.36.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48546 DF PROTO=TCP SPT=50312 DPT=9050 WINDOW=14600 RES=0x00 SYN URGP=0 UID=568 GID=565 

Does anyone know how I couyld stop those tracking hit and resolve the issue?

[postcd]

CSF please edit this email subject so we know what kind of tracking hit. it is not clear which CSF setting controls these emails. If its clear to someone, please share.

[Sergio]

*TCP_OUT Blocked*
means that the port 9050 is not set in TCP/OUT.
So, the IP SRC is trying to connect to your server on that port.

If you don't have nothing on that port, it means that the SRC IP is trying to check what ports are open in your firewall, CSF is doing it works reporting the IP that is trying to access that closed port.

If you don't want this to appear, you can add the offending port to DROP_NOLOG.