Page 1 of 1

tons of errors in syslog

Posted: 29 Dec 2014, 08:51
by hetzbh
Hi,

In the last month or so, my /var/log/messages becomes flooded with errors like this:

Code: Select all

Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=04:01:07:8a:00:01:00:24:38:ab:b6:00:08:00 SRC=117.41.166.216 DST=82.196.0.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=105 ID=256 PROTO=TCP SPT=6000 DPT=9200 WINDOW=16384 RES=0x00 SYN URGP=0 
Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=04:01:07:8a:00:01:00:24:38:ab:b6:00:08:00 SRC=61.160.224.129 DST=82.196.0.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=54321 PROTO=TCP SPT=35352 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 
Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=04:01:07:8a:00:01:00:24:38:ab:55:00:08:00 SRC=221.194.44.172 DST=82.196.0.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=256 PROTO=TCP SPT=6000 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=04:01:07:8a:00:01:00:24:38:ab:b6:00:08:00 SRC=218.2.0.129 DST=82.196.0.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=256 PROTO=TCP SPT=6000 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 
Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=04:01:07:8a:00:01:00:24:38:ab:b6:00:08:00 SRC=78.96.82.4 DST=82.196.0.XXX LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=53 DPT=42047 LEN=56 
Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=04:01:07:8a:00:01:00:24:38:ab:b6:00:08:00 SRC=218.77.79.38 DST=82.196.0.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=59851 DPT=8081 WINDOW=65535 RES=0x00 SYN URGP=0 
The firewall is enabled, but it write every damn try to check non opened-port or even ping.

Where can I disable it? (I just want to know if someone connects to SSH/SFTP).

My CSF config file is here: http://hetz.me/obp1x

Thanks

Re: tons of errors in syslog

Posted: 01 Jan 2015, 09:45
by ForumAdmin
The logging is down to the setting DROP_LOGGING which you can disable, but you will lose the Post Scan Tracking feature. It would be better for you to reconfigure your rsyslogd daemon to route those logs to a different log file if you do not want them in messages and update the csf configuration to use that log file instead.