ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

lfd on server.xxxxxx: UID 25 (named) Tracking Hit

https://mail.forum.configserver.com/viewtopic.php?t=7731

Page 1 of 1

lfd on server.xxxxxx: UID 25 (named) Tracking Hit

Posted: 17 Apr 2014, 02:05
by debug
Hello,

I am getting the following email many times since a blocked hacking attempt by almost the same IP. What is the meaning of this message ? How to ride of the message ?

202.0.0.0/8 is blocked by CSF.

Sample of port hits:
Apr 16 20:08:03 server kernel: [11322599.068185] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.137.3.120 LEN=73 TOS=0x00 PREC=0x00 TTL=64
ID=51303 PROTO=UDP SPT=56728 DPT=53 LEN=53 UID=25 GID=25
Apr 16 20:08:03 server kernel: [11322599.068241] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.12.28.140 LEN=72 TOS=0x00 PREC=0x00 TTL=64
ID=49082 PROTO=UDP SPT=34758 DPT=53 LEN=52 UID=25 GID=25
Apr 16 20:08:03 server kernel: [11322599.068376] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.12.28.140 LEN=72 TOS=0x00 PREC=0x00 TTL=64
ID=49083 PROTO=UDP SPT=23020 DPT=53 LEN=52 UID=25 GID=25
Apr 16 20:08:03 server kernel: [11322599.068482] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.137.3.121 LEN=73 TOS=0x00 PREC=0x00 TTL=64
ID=55135 PROTO=UDP SPT=9133 DPT=53 LEN=53 UID=25 GID=25
Apr 16 20:08:03 server kernel: [11322599.075113] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.137.3.120 LEN=73 TOS=0x00 PREC=0x00 TTL=64
ID=51304 PROTO=UDP SPT=51957 DPT=53 LEN=53 UID=25 GID=25
Apr 16 20:08:05 server kernel: [11322601.069017] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.159.32.2 LEN=72 TOS=0x00 PREC=0x00 TTL=64
ID=55450 PROTO=UDP SPT=62237 DPT=53 LEN=52 UID=25 GID=25
Apr 16 20:08:07 server kernel: [11322603.139137] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.159.32.2 LEN=73 TOS=0x00 PREC=0x00 TTL=64
ID=55452 PROTO=UDP SPT=7006 DPT=53 LEN=53 UID=25 GID=25
Apr 16 20:08:07 server kernel: [11322603.139438] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.154.1.2 LEN=73 TOS=0x00 PREC=0x00 TTL=64
ID=21753 PROTO=UDP SPT=37713 DPT=53 LEN=53 UID=25 GID=25
Apr 16 20:08:07 server kernel: [11322603.139601] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.158.40.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64
ID=854 PROTO=UDP SPT=32884 DPT=53 LEN=53 UID=25 GID=25
Apr 16 20:08:07 server kernel: [11322603.139709] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.159.32.2 LEN=73 TOS=0x00 PREC=0x00 TTL=64
ID=55453 PROTO=UDP SPT=25512 DPT=53 LEN=53 UID=25 GID=25
Apr 16 20:08:07 server kernel: [11322603.139862] Firewall: *UDP_OUT Blocked* IN=
OUT=venet0 SRC=xxx.xx.xxx.xxx DST=202.154.1.2 LEN=73 TOS=0x00 PREC=0x00 TTL=64
ID=21754 PROTO=UDP SPT=48773 DPT=53 LEN=53 UID=25 GID=25

Re: lfd on server.xxxxxx: UID 25 (named) Tracking Hit

Posted: 04 Mar 2015, 13:21
by postcd
To which CSF setting this Tracking hit refers?

Re: lfd on server.xxxxxx: UID 25 (named) Tracking Hit

Posted: 05 Mar 2015, 16:23
by Sergio
*UDP_OUT Blocked*
means that you don't have that port opened in your UDP_OUT settings and any attempt to connect to that port will be reported.
SPT, source port = 56728
DPT, destination port = UPD OUT 53

If you don't want this to be reported you can add port 53 to DROP_NOLOG.

Re: lfd on server.xxxxxx: UID 25 (named) Tracking Hit

Posted: 05 Mar 2015, 16:26
by postcd
thank you for helpfull advice
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited