Drop Rate increases

capote · January 9, 2021, 5:37pm

NethServer Version: 7.9
Module: Firewall, IPS, Fail2ban, Webproxy

AlertCategories=ET-emerging-current_events,ET-emerging-dos,ET-emerging-ftp,ET-emerging-games,ET-emerging-inappropriate,ET-emerging-misc,ET-emerging-mobile_malware,ET-emerging-p2p,ET-emerging-scan,ET-emerging-shellcode,ET-emerging-sql,ET-emerging-trojan,ET-emerging-voip,ET-emerging-web_client,ET-emerging-worm

BlockCategories=ET-botcc.portgrouped,ET-botcc,ET-ciarmy,ET-compromised,ET-dshield,ET-emerging-activex,ET-emerging-attack_response,ET-emerging-exploit,ET-emerging-malware,ET-emerging-netbios

Since 3 week I recognize increasing packet drops

I cannot really identify a reason.
The Block Categories are similar to my other servers w/o drops.
Do you have any tips for me for deeper analysis?
Or ist it normal?
Best regards, Marko

pike · January 9, 2021, 5:59pm

How’s your CPU usage?

capote · January 9, 2021, 6:25pm

round about 10-15%.
Meanwhile I deactivated the IPS completey - no differences. Which other module initiates such drops also?

capote · January 9, 2021, 6:28pm

This Drops dominates:

Jan  9 18:10:03 nethserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=c6:92:ce:7d:46:87:58:d7:59:69:f1:0d:08:00 SRC=45.157.178.109 DST=192.168.2.201 LEN=1440 TOS=0x00 PREC=0x00 TTL=55 ID=21669 DF PROTO=TCP SPT=443 DPT=42782 WINDOW=298 RES=0x00 ACK URGP=0 MARK=0x5b00 
Jan  9 18:24:34 nethserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=c6:92:ce:7d:46:87:58:d7:59:69:f1:0d:08:00 SRC=17.253.79.201 DST=192.168.2.201 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=TCP SPT=443 DPT=47068 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x8c00 
Jan  9 18:46:48 nethserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=c6:92:ce:7d:46:87:58:d7:59:69:f1:0d:08:00 SRC=2.16.107.184 DST=192.168.2.201 LEN=323 TOS=0x00 PREC=0x00 TTL=56 ID=26658 DF PROTO=TCP SPT=443 DPT=49742 WINDOW=235 RES=0x00 ACK PSH URGP=0 MARK=0x9100

robb · January 9, 2021, 6:47pm

Is this the IP address of your nethserver lan interface? All have in common that the destination is the same.
all are different source IP’s

capote · January 9, 2021, 7:16pm

yes it is my Proxmox /Nethserver Gateway

robb · January 10, 2021, 12:02pm

But then it’s your RED (outside) interface, not your GREEN (LAN) interface. Which makes me think your log entries are comming from random ip addresses. The entries are not related, so my best guess is that they are not that harmful.