SSH console kernel messages

General support questions
Post Reply
maurobonassin
Posts: 4
Joined: 2019/04/08 14:07:36

SSH console kernel messages

Post by maurobonassin » 2019/04/08 15:39:23

I'm using Centos 6, and SSH console is flooded with kernel messages:

Message from syslogd@server at Apr 8 16:42:00 ...
kernel:[545536.542131] nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=..... DST=..... LEN=65 TOS=0x10 PREC=0x00 TTL=64 ID=65256 DF PROTO=TCP SPT=21 DPT=49012 SEQ=3506371794 ACK=2873199576 WINDOW=14600 RES=0x00 ACK PSH FIN URGP=0 OPT (0101050AAB418BD7AB418BD8)

Message from syslogd@server at Apr 8 16:42:01 ...
kernel:[545537.048406] nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=...... DST=..... LEN=53 TOS=0x10 PREC=0x00 TTL=64 ID=65257 DF PROTO=TCP SPT=21 DPT=49012 SEQ=3506371794 ACK=2873199576 WINDOW=14600 RES=0x00 ACK PSH FIN URGP=0

What it is and how do I make it stop?
Thanks in advance for your help.

User avatar
TrevorH
Forum Moderator
Posts: 25833
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSH console kernel messages

Post by TrevorH » 2019/04/08 15:58:48

They're not ssh messages. In fact they're not even anything to do with ssh.

They are iptables log rules. You have your system set up with a set of iptables firewall rules and one (or more) is set to log when they match. Run iptables-save and look for -j LOG lines and review those to see which are required.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

maurobonassin
Posts: 4
Joined: 2019/04/08 14:07:36

Re: SSH console kernel messages

Post by maurobonassin » 2019/04/10 15:45:59

Could be this iptables rules?

-A INPUT -j LOGGING
-A LOGGING -m limit --limit 10/min -j LOG --log-prefix "DROP: " --log-level 7
-A LOGGING -j DROP

User avatar
TrevorH
Forum Moderator
Posts: 25833
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSH console kernel messages

Post by TrevorH » 2019/04/10 16:13:15

Well, maybe. From the "nf_ct_ftp:" in each of the examples you gave, I would expect there to be a line which does something similar but includes --log-prefix "nf_ct_ftp: ". But, yes, those are iptables log lines and someone has deliberately created a rule that logs those. Either they want them or they didn't realise how much output it might create!
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
jlehtone
Posts: 2173
Joined: 2007/12/11 08:17:33
Location: Finland

Re: SSH console kernel messages

Post by jlehtone » 2019/04/11 15:09:23

maurobonassin wrote:
2019/04/08 15:39:23
IN= OUT=eth0 PROTO=TCP SPT=21 DPT=49012
That looks like an outgoing packet that is probably a reply from ftp server on this machine to some remote ftp client.

Outgoing packets do not visit the INPUT chain.

maurobonassin
Posts: 4
Joined: 2019/04/08 14:07:36

Re: SSH console kernel messages

Post by maurobonassin » 2019/05/29 07:29:01

TrevorH wrote:
2019/04/10 16:13:15
Well, maybe. From the "nf_ct_ftp:" in each of the examples you gave, I would expect there to be a line which does something similar but includes --log-prefix "nf_ct_ftp: ". But, yes, those are iptables log lines and someone has deliberately created a rule that logs those. Either they want them or they didn't realise how much output it might create!
I check iptables config and there isn't any line that includes "nf_ct_ftp:"....
I found some more research and i found this explanations:
https://loginroot.com/wp/getting-rid-of ... -messages/
Could be a possible solutions?

I also check /etc/rsyslog.conf
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####

Code: Select all

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
kern.debug                                              /var/log/iptables
The line kern.debug i think is not set as default, the standard is
kern.* -/var/log/kern.log

User avatar
TrevorH
Forum Moderator
Posts: 25833
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSH console kernel messages

Post by TrevorH » 2019/05/29 08:32:52

Post the output from iptables-save
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

maurobonassin
Posts: 4
Joined: 2019/04/08 14:07:36

Re: SSH console kernel messages

Post by maurobonassin » 2019/05/29 09:02:08

TrevorH wrote:
2019/05/29 08:32:52
Post the output from iptables-save

Code: Select all

# Generated by iptables-save v1.4.7 on Wed May 29 10:56:39 2019
*nat
:PREROUTING ACCEPT [4449115:293465242]
:POSTROUTING ACCEPT [1793125:125653840]
:OUTPUT ACCEPT [1793125:125653840]
COMMIT
# Completed on Wed May 29 10:56:39 2019
# Generated by iptables-save v1.4.7 on Wed May 29 10:56:39 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [272849:423718602]
:LOGGING - [0:0]
:acctboth - [0:0]
:cpanel-dovecot-solr - [0:0]
:cphulk - [0:0]
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 2083 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 2087 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j cphulk
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1167 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p udp -m udp --dport 44120:44139 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m multiport --dports 22,2083,2087,3306,2096 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m multiport --dports 22,2083,2087,3306,2096 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m multiport --dports 22,2083,2087,3306,2096 -j ACCEPT
-A INPUT -d 127.0.0.1/32 -p tcp -j ACCEPT
-A INPUT -j LOGGING
-A OUTPUT -j cpanel-dovecot-solr
-A LOGGING -m limit --limit 10/min -j LOG --log-prefix "DROP: " --log-level 7
-A LOGGING -j DROP
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 80
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 80
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 25
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 25
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 110
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 110
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 143
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 143
-A acctboth -s x.x.x.x/32 ! -i lo -p icmp
-A acctboth -d x.x.x.x/32 ! -i lo -p icmp
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp
-A acctboth -s x.x.x.x/32 ! -i lo -p udp
-A acctboth -d x.x.x.x/32 ! -i lo -p udp
-A acctboth -s x.x.x.x/32 ! -i lo
-A acctboth -d x.x.x.x/32 ! -i lo
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 80
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 80
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 25
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 25
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp -m tcp --dport 110
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp -m tcp --sport 110
-A acctboth -s x.x.x.x/32 ! -i lo -p icmp
-A acctboth -d x.x.x.x/32 ! -i lo -p icmp
-A acctboth -s x.x.x.x/32 ! -i lo -p tcp
-A acctboth -d x.x.x.x/32 ! -i lo -p tcp
-A acctboth -s x.x.x.x/32 ! -i lo -p udp
-A acctboth -d x.x.x.x/32 ! -i lo -p udp
-A acctboth -s x.x.x.x/32 ! -i lo
-A acctboth -d x.x.x.x/32 ! -i lo
-A acctboth ! -i lo
-A cpanel-dovecot-solr -p tcp -m multiport --sports 8984,7984 -m owner --uid-owner cpanelsolr -j ACCEPT
-A cpanel-dovecot-solr -p tcp -m multiport --sports 8984,7984 -m owner --uid-owner root -j ACCEPT
-A cpanel-dovecot-solr -p tcp -m multiport --sports 8984,7984 -j REJECT --reject-with icmp-port-unreachable
-A cphulk -s x.x.x.x/32 -m state --state NEW -m time --datestop 2019-05-29T13:45:48 --utc -j DROP
-A cphulk -s x.x.x.x/32 -m state --state NEW -m time --datestop 2019-05-29T14:20:24 --utc -j DROP
-A cphulk -s x.x.x.x/32 -m state --state NEW -m time --datestop 2019-05-29T16:34:52 --utc -j DROP
-A cphulk -s x.x.x.x/32 -m state --state NEW -m time --datestop 2019-05-30T00:14:39 --utc -j DROP
-A cphulk -s x.x.x.x/32 -m state --state NEW -m time --datestop 2019-05-30T07:09:57 --utc -j DROP
COMMIT
# Completed on Wed May 29 10:56:39 2019

Post Reply