Major Warnings after Yum Update in Log Watch

nootkan · 10-26-2009, 01:08 AM

Hi, I am a newbie to this forum and to linux in general. I rent my own dedicated server and had it secured with a cPanel Service Package
+ MailScanner package from ConfigServer. I am greener than green, but have been trying to learn as much as I can when I can. Server: Linux CENTOS 5.4 x86_64 standard

Been reading my daily warning messages for sometime now and until last Friday I never really saw any differences in data. On Friday there was an update as logged in logwatch along with hundreds of warning similar to these:

Quote:

network unreachable resolving 'webaf1.airfrance.fr/AAAA/IN': 2001:4f8:0:2::8#53: 1 Time(s)

network unreachable resolving 'wizard.uark.edu/A/IN': 2001:503:a83e::2:30#53: 1 Time(s)

network unreachable resolving 'yakro.aviso.ci/A/IN': 2001:610:240:0:53:cc:12:56#53: 1 Time(s)

the working directory is not writable: 3 Time(s)

using default UDP/IPv4 port range: [1024, 65535]: 3 Time(s)

using default UDP/IPv6 port range: [1024, 65535]: 3 Time(s)

using up to 4096 sockets: 3 Time(s)

These are the last lines of hundreds. I also was getting hundreds of warings in my service check logs also, but when I searched the net for some info I came across a post that stated removing port 53 from
UDP IN and OUT would help. I did this in csf firewall settings in WHM. This removed most of the warnings from my service checks but no effect on my logwatch logs. Is disabling port 53 from UDP In and Out the right thing to do?

I have everything automated and get yum updates regularily but have never had this issue before.
Here are a few lines of the yum update:

Quote:

--------------------- yum Begin ------------------------

Packages Installed:

kernel-devel-2.6.18-164.el5.x86_64

fipscheck-lib-1.2.0-1.el5.x86_64

keyutils-1.2-1.el5.x86_64

trousers-0.3.1-4.el5.x86_64

sgpio-1.2.0_10-2.el5.x86_64

bitstream-vera-fonts-1.10-7.noarch

fipscheck-lib-1.2.0-1.el5.i386

hmaccalc-0.9.6-1.el5.x86_64

trousers-0.3.1-4.el5.i386

dmraid-events-1.0.0.rc13-53.el5.x86_64

Packages Updated:

setroubleshoot-2.0.5-5.el5.noarch

nspr-4.7.4-1.el5_3.1.x86_64

1:busybox-1.2.0-7.el5.centos.x86_64

readline-devel-5.1-3.el5.i386

device-mapper-1.02.32-1.el5.x86_64

libstdc++-devel-4.1.2-46.el5.x86_64

Appreciate any help or guidance to allow me to resolve/understand this issue better.

DrLove73 · 10-26-2009, 03:41 AM

Hi. Your server was 5.3 until the mentioned time, and then it upgraded it self to 5.4 :-) CentOS 5.4 was released just few days ago, so this update (rather upgrade) is legitimate.

unSpawn · 10-26-2009, 11:16 AM

...and wrt Logwatch

Quote:

Originally Posted by nootkan

when I searched the net for some info I came across a post that stated removing port 53 from UDP IN and OUT would help. I did this in csf firewall settings in WHM. This removed most of the warnings from my service checks but no effect on my logwatch logs. Is disabling port 53 from UDP In and Out the right thing to do?

If you have verified these resolver warnings are no longer in your log file then it depends on the --range of Logwatch reporting. If it's "Today" then older warnings should disappear the next time you run Logwatch. OTOH if you choose a setting like "All" then these warnings will still show. To verify this you could easily run 'logwatch' from the commandline like 'logwatch --detail Med --print --range Today --service SERVICENAME' where "SERVICENAME" is the name of the service (nameserver, named, bind, dns, whatever else applicable).

nootkan · 10-26-2009, 01:05 PM

Thanks for the replies.

Quote:

Hi. Your server was 5.3 until the mentioned time, and then it upgraded it self to 5.4 :-) CentOS 5.4 was released just few days ago, so this update (rather upgrade) is legitimate.

Okay so now I know what the upgrade actually was as there was no reference to the words CentOS 5.4 anywhere that I could see. So I can ignore these warning then I suppose as they are not serious. Is there anywhere I can go to learn what these warnings are actually saying?

Quote:

If you have verified these resolver warnings are no longer in your log file then it depends on the --range of Logwatch reporting.

Okay when I check the log files in WHM I see these warnings going back to the very day that the update occurred.

Quote:

To verify this you could easily run 'logwatch' from the commandline like 'logwatch --detail Med --print --range Today --service SERVICENAME' where "SERVICENAME" is the name of the service (nameserver, named, bind, dns, whatever else applicable).

How do I determine whatever else is applicable and what is not?

Sorry for my ignorance, but I'm a trying...

Update: Turns out I was still looking through my saved log files when I said they went back to Friday when the update occurred. The logs turn over every two days it looks like. I counted 6798 warnings during these two days (25-26). I also noticed that not all the warnings are the same.

Quote:

Oct 25 04:31:44 server2 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Oct 25 04:31:55 server2 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__KSgFwOwle6LIT5kTjYfedlCj86cOT18QVc5jSKT6IDgTyrLIG6R4qkxShEzr8ZR3 is now logged in
Oct 25 04:31:55 server2 pure-ftpd: (__cpanel__service__auth__ftpd__KSgFwOwle6LIT5kTjYfedlCj86cOT18QVc5jSKT6IDgTyrLIG6R4qkxShEzr8ZR3@127 .0.0.1) [INFO] Logout.

These ones seem to repeat every five minutes. Not sure what this is about.

Quote:

Oct 25 05:53:17 server2 named[3598]: lame server resolving '175.6.40.89.in-addr.arpa' (in '6.40.89.in-addr.arpa'?): 80.96.198.2#53
Oct 25 05:53:18 server2 named[3598]: lame server resolving '175.6.40.89.in-addr.arpa' (in '6.40.89.in-addr.arpa'?): 81.181.111.2#53

Quote:

Oct 25 07:16:54 server2 named[3598]: unexpected RCODE (REFUSED) resolving 'dns.xm.fj.cn/AAAA/IN': 202.101.103.55#53

unSpawn · 10-26-2009, 05:32 PM

Quote:

Originally Posted by nootkan

there was no reference to the words CentOS 5.4 anywhere that I could see.

I think the only clue would be the RPM that updates /etc/redhat-release (as in "centos-release-5-4.*.rpm").

Quote:

Originally Posted by nootkan

So I can ignore these warning then I suppose as they are not serious. Is there anywhere I can go to learn what these warnings are actually saying?

Please be specific. Which warnings? As I told you before warnings should be investigated (and understood) not neglected. However messages of the informational level, like Yum installation or update log lines, are just that: informational. If OTOH you mean the "network unreachable resolving (AAAA|A)" ones then search for "AAAA record" or see http://en.wikipedia.org/wiki/List_of_DNS_record_types. The "working directory is not writable" should be self-explanatory and the "using.*port" and "using.*sockets" are informational too.

Quote:

Originally Posted by nootkan

Okay when I check the log files in WHM I see these warnings going back to the very day that the update occurred.

I should have said "If you have verified these resolver warnings are no longer in your log file today".

Quote:

Originally Posted by nootkan

How do I determine whatever else is applicable and what is not?

Sorry. With "whatever else is applicable" I meant any other service name that the DNS service runs as.

Quote:

Originally Posted by nootkan

These ones seem to repeat every five minutes. Not sure what this is about.

The "lame server" is a typical message informing you that the remote NS that should resolve these addresses is not the authoritive NS for that domain. In BIND you get rid (stop logging them) of those messages using

Code:

logging {
category lame-servers { null; };
};

Like these lame delegations the REFUSED line also indicates a remote problem.