Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
kernel module auto-load of net-pf-2-proto-17-type-1 ??
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Philippe23
Tux's lil' helper
Tux's lil' helper


Joined: 20 Dec 2006
Posts: 90
Location: Rome, NY

PostPosted: Thu Jun 16, 2011 2:11 pm    Post subject: kernel module auto-load of net-pf-2-proto-17-type-1 ?? Reply with quote

I've been getting messages like this in my logs for a little while now.

Quote:
Jun 16 09:16:06 localhost kernel: [4307269.978879] grsec: From 119.63.196.20: denied kernel module auto-load of net-pf-2-proto-17-type-1 by /usr/sbin/apache2[apache2:1407] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:14996] uid/euid:0/0 gid/egid:0/0


119.63.196.20 looks like it is a Baidu Search Engine Spider IP.

What would be triggering this, what exactly is apache trying to load (PF 2, PROTO 17 is UDP). Is there any danger in this? If this is just UDP and is harmless, any idea which kernel option builds this in?
Back to top
View user's profile Send private message
neofutur
n00b
n00b


Joined: 18 Jun 2006
Posts: 18
Location: France

PostPosted: Mon Oct 27, 2014 8:57 pm    Post subject: Re: kernel module auto-load of net-pf-2-proto-17-type-1 ?? Reply with quote

Philippe23 wrote:
I've been getting messages like this in my logs for a little while now.

Quote:
Jun 16 09:16:06 localhost kernel: [4307269.978879] grsec: From 119.63.196.20: denied kernel module auto-load of net-pf-2-proto-17-type-1 by /usr/sbin/apache2[apache2:1407] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:14996] uid/euid:0/0 gid/egid:0/0


119.63.196.20 looks like it is a Baidu Search Engine Spider IP.

What would be triggering this, what exactly is apache trying to load (PF 2, PROTO 17 is UDP). Is there any danger in this? If this is just UDP and is harmless, any idea which kernel option builds this in?


I d also be happy to get a definitive answer on this, couldnt find any way to stop apache to try to load ipv6 every 2 seconds

the answer from http://httpd.apache.org/docs/current/bind.html#ipv6

is just not working here, still getting :

Quote:
Oct 27 22:04:35 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:37 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:38 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:42 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:42 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:42 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:42 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:42 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:46 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:47 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81

nearly one / second . . .
_________________
http://bitcoin.gw.gd-http://ww7.pe-http://waisse.org
Back to top
View user's profile Send private message
neofutur
n00b
n00b


Joined: 18 Jun 2006
Posts: 18
Location: France

PostPosted: Tue Nov 04, 2014 2:10 am    Post subject: Re: kernel module auto-load of net-pf-2-proto-17-type-1 ?? Reply with quote

neofutur wrote:

the answer from http://httpd.apache.org/docs/current/bind.html#ipv6
is just not working here, still getting :
Quote:
Oct 27 22:04:35 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:46 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
Oct 27 22:04:47 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81

nearly one / second . . .


since the main danger here is overloading your server with too many log messages ( and yes this is is a possible DOS/DDOS against anyone not allowing ipv6 ) concerning the war between me/grsec and silly apache , I finally edited the syslog-ng filter for grsec :

from

Code:
#filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };


to

Code:
filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*") and not message(".*ipv6.*"); };


hopes this help , feel free to suggest a better syslog-ng filter please ;)

I hate ignoring logs, but this one really exploded the loadavg on my server

also i m ready to try whatever apache config trick you could suggest to have this bitch stop trying to load ipv6 module ( but I already tried every answer i could find on the internet ;) ).


( i wish apache had a use flag -ipv6 )
_________________
http://bitcoin.gw.gd-http://ww7.pe-http://waisse.org
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum