On 2024-08-31 07:32, Pete French wrote:
So I am running some servers with 14.1-STABLE, pretty standard - Apache +
mysql
setup, and I am seeing a lot of the above messages. I have always seen these
form
time to time, but recently I have had compmnaits from a customer about the
webservers being unavailable, and the times they give correspond to bursts
of
these errors.
I dont see any other errors, and am wondering how to get more info about
this
message. Knowing if its IPv4 or IPv6 would be nice. Knowing the port that is
closed would be ideal. I have a feeling that the closed port is the one
which
Apaxche is suppsoed to be listenin gon (I cant think of nay other ports
which
would get hammered), but that should never be closed.
Check the www logs against the same times you're seeing these in messages.
Bad bots
"search engines" will often flood your server(s). It can also be the result
of local
scripts making massive queries outbound (a script running on a [local]
customer web
server?). Lastly, someone pounding on your box either directly, or by way of
deflected
queries (harder to track). Some ways to track; check all your other logs
against the same
times those messages show up in messages. Crank up verbosity in logs. Lastly;
you might
be able to better ferret some additional clues in sysctl.conf(5) by tweaking
the
net.inet.tcp.log_in_vain setting; from tcp(4):
log_in_vain
Log any connection attempts to ports where there
is no socket accepting connections. The value
of 1 limits the logging to SYN (connection
establishment) packets only. A value of 2 results
in any TCP packets to closed ports being logged.
Any value not listed above disables the logging
(default is 0, i.e., the logging is disabled).
Warning, you'll see a good number of entries many (most) are
innocent/harmless. You'll
of course only be interested in those corresponding with the messages you're
receiving.
You'll probably only want to use this during the periods your concerned with.
As this
is a pretty noisy log.
I see these messages all the time, and managed to track the offending IP
using at least
one of the above. I run pf(4). So add the offending IP to a block table, and
am never
forced to deal with them again. :)
HTH
--Chris
Any advice ?
-pete.
