What is this and do I need to worry about it?

[Louey37]

I've just signed up for my first dedicated server and know nothing about them.

I'm receiving 4 to 5 emails a day with alerts and I have NO idea what they are and if I should be worried about them. If you know anything about hosting, can you help a brother out?

Here are some of the alerts I'm getting:

--------------

Time: Tue Jan 15 13:02:06 2013 -0600
IP: 194.127.5.247 (DE/Germany/-)
Connections: 62
Blocked: Temporary Block

Connections:
tcp: 194.127.5.247:52617 -> XX.XXX.XXX.XX:80 (FIN_WAIT2)
tcp: 194.127.5.247:53047 -> XX.XXX.XXX.XX:80 (ESTABLISHED)
tcp: 194.127.5.247:52595 -> XX.XXX.XXX.XX:80 (FIN_WAIT2)
tcp: 194.127.5.247:53053 -> XX.XXX.XXX.XX:80 (ESTABLISHED)
tcp: 194.127.5.247:52602 -> XX.XXX.XXX.XX:80 (FIN_WAIT2)
tcp: 194.127.5.247:52596 -> XX.XXX.XXX.XX:80 (FIN_WAIT2)
tcp: 194.127.5.247:52869 -> XX.XXX.XXX.XX:80 (FIN_WAIT2)
tcp: 194.127.5.247:53038 -> XX.XXX.XXX.XX:80 (ESTABLISHED)
tcp: 194.127.5.247:52621 -> XX.XXX.XXX.XX:80 (FIN_WAIT2)
tcp: 194.127.5.247:52872 -> XX.XXX.XXX.XX:80 (FIN_WAIT2)
tcp: 194.127.5.247:52607 -> XX.XXX.XXX.XX:80 (FIN_WAIT2)
tcp: 194.127.5.247:53048 -> XX.XXX.XXX.XX:80 (ESTABLISHED)
tcp: 194.127.5.247:52894 -> XX.XXX.XXX.XX:80 (FIN_WAIT2)
tcp: 194.127.5.247:52604 -> XX.XXX.XXX.XX:80 (FIN_WAIT2)

----------

Time: Tue Jan 15 10:44:21 2013 -0600
IP: 76.30.171.72 (US/United States/c-76-30-171-72.hsd1.tx.comcast.net)
Hits: 11
Blocked: Temporary Block

Sample of block hits:
Jan 15 10:43:27 host kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:23:ae:6b:d6:93:5c:5e:ab:d0:66:f0:08:00 SRC=76.30.171.72 DST=XX.XXX.XXX.XX LEN=84 TOS=0x00 PREC=0x00 TTL=118 ID=5737 PROTO=UDP SPT=56568 DPT=3544 LEN=64
Jan 15 10:43:30 host kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:23:ae:6b:d6:93:5c:5e:ab:d0:66:f0:08:00 SRC=76.30.171.72 DST=XX.XXX.XXX.XX LEN=84 TOS=0x00 PREC=0x00 TTL=118 ID=7136 PROTO=UDP SPT=56568 DPT=3544 LEN=64
Jan 15 10:43:56 host kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:23:ae:6b:d6:93:5c:5e:ab:d0:66:f0:08:00 SRC=76.30.171.72 DST=XX.XXX.XXX.XX LEN=84 TOS=0x00 PREC=0x00 TTL=118 ID=16817 PROTO=UDP SPT=56568 DPT=3544 LEN=64
Jan 15 10:43:57 host kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:23:ae:6b:d6:93:5c:5e:ab:d0:66:f0:08:00 SRC=76.30.171.72 DST=XX.XXX.XXX.XX LEN=84 TOS=0x00 PREC=0x00 TTL=118 ID=17469 PROTO=UDP SPT=56568 DPT=3544 LEN=64
Jan 15 10:43:59 host kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:23:ae:6b:d6:93:5c:5e:ab:d0:66:f0:08:00 SRC=76.30.171.72 DST=XX.XXX.XXX.XX LEN=84 TOS=0x00 PREC=0x00 TTL=118 ID=18167 PROTO=UDP SPT=56568 DPT=3544 LEN=64

---------

What are these and should I be worried about them?

 

[lothos]

What are these and should I be worried about them?

Since no one else responded yet I'll try to help out briefly.

The first email appears to be a German IP hitting your web server. Not sure why it was blocked, maybe the connections were coming in too fast, or someone was scanning for something.

The second email appears to relate to a computer connecting to port 3544 which is typically used for a Toredo server (IPV6 tunneling, basically). You probably aren't running that service.

You'll see a lot of this running a server, and neither one appear to be anything to worry about.

 

[Louey37]

Thanks mate. I apperciate the feedback. I'm pretty new to this shit.

I've just started getting another email coming in once an hour. This is what it says:

--------

Excessive Resource Usage

Time: Mon Mar 4 07:00:32 2013 -0600
Account: nscd
Resource: Process Time
Exceeded: 198911 > 1800 (seconds)

----------

I wouldn't normally care but it's literally coming in once an hour. I have an idea of what this means (I'm guessing it has something to do with excessive resource useage...) but I'm not sure how to deal with it.

Any thoughts?

 

[fanturo]

it seems like an attack

 

[(O_o)]

my servers get shit like this all the time. I just disabled the email notification crap. its pointless.

Secure your server(s) and you should have nothing to worry about!

 

[CCarter]

Yeah, your notifications are set WAY TOO High. They are too sensitive. You didn't state whether you are on WHM (I would assume). there is a search feature, search the alerts/notification setting and configure them accordingly.

 

[oChris]

WHM Configure the Notification Settings.

if you are unsure you can send me a private message with your skype and i can take a look

 

[kingsolomon]

You should have plesk installed.

I assumed you have a linux server.

If you have cpanel, disable unimportant notifications.

Attacks happen all the time. I have 5 dedicated servers and get, about 1000 attacks, every hour!!

Dont worry, but I hope you have linux+plesk.