Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Mostly RedHat. Also Suse, Ubuntu, PHLAK etc.
Posts: 149
Original Poster
Rep:
Thanks all
I'll go through the links provided, thanks for the help everyone
EDIT:
OK, went through the links, seems according to RedHat, this is benign and simply informative messages.
Almost all other sources say this indicates malicious behavior on the remote end...
Personally I'm leaning to malicious behavior as a certain daemon on my box bombed out multiple times as a result.
My take on this http://www.linuxquestions.org/questi...501#post306501. First note the kernel adjusts since it says "repaired", also note the shown window size doesn't slide to zero, so I'd go for buggy remote first.
Personally I'm leaning to malicious behavior as a certain daemon on my box bombed out multiple times as a result.
If this keeps occurring: is the source a single IP or a range?
Running an IDS like Snort or Prelude should catch any exploits.
Running P0f should give you a fix on the remote OS.
Else try blocking with either mod_security or iptables.
Distribution: Mostly RedHat. Also Suse, Ubuntu, PHLAK etc.
Posts: 149
Original Poster
Rep:
Quote:
Originally Posted by unSpawn
My take on this http://www.linuxquestions.org/questi...501#post306501. First note the kernel adjusts since it says "repaired", also note the shown window size doesn't slide to zero, so I'd go for buggy remote first.
Personally I'm leaning to malicious behavior as a certain daemon on my box bombed out multiple times as a result.
If this keeps occurring: is the source a single IP or a range?
Running an IDS like Snort or Prelude should catch any exploits.
Running P0f should give you a fix on the remote OS.
Else try blocking with either mod_security or iptables.
Sounds like excellent advice (as usual), thanks unSpawn. Much appreciated
NP. Forgot to say: if you determine this is a one-off situation and you won't install or can't run Snort or P0f on the server it should be no problem as long as you can run tcpdump (don't need promisc mode, do use a BPF filter and do watch for filesize) and make it write to file. Then you can read the dump on another station where Snort and P0f are installed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.