Submitted by nhsitehost on Sat, 07/19/2014 - 07:35 Pro Licensee
i was looking over my iptables rules and there are a ton of rules i have no clue what they are, how they got there, and if the should be there....i could use some support fixing them and getting them correct...
Status:
Active
Comments
Submitted by nhsitehost on Sat, 07/19/2014 - 07:36 Pro Licensee Comment #1
here is my saved rules
# Generated by iptables-save v1.4.7 on Wed Apr 9 14:02:18 2014*mangle
:PREROUTING ACCEPT [16895:15639425]
:INPUT ACCEPT [16894:15639186]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14490:8480285]
:POSTROUTING ACCEPT [14490:8480285]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Apr 9 14:02:18 2014
# Generated by iptables-save v1.4.7 on Wed Apr 9 14:02:18 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:2196]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 10080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Apr 9 14:02:18 2014
# Generated by iptables-save v1.4.7 on Wed Apr 9 14:02:18 2014
*nat
:PREROUTING ACCEPT [357:20441]
:POSTROUTING ACCEPT [521:33244]
:OUTPUT ACCEPT [521:33244]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Apr 9 14:02:18 2014
Submitted by nhsitehost on Sat, 07/19/2014 - 07:40 Pro Licensee Comment #2
this system is a VM on a windows 2008 R2 Hyper-v server... i assume that virbr0 is the virtual port for the network, although when i look at the network interfaces i dont see virbr0 i only see eth0
Submitted by andreychek on Sat, 07/19/2014 - 09:40 Comment #3
Howdy -- hmm, do you by chance have any non-default or third party software installed that might automatically configure firewall rules?
You don't actually need a firewall, and in most cases one isn't enabled by default. So one solution would be to disable your firewall altogether. Or you could just remove those entries relating to vibr0.
However, if you don't actually have a vibr0 interface, that may mean that there's some non-default software on your server that tried to add a set of rules -- and if that's the case, you may need to disable/remove that software.
Some of those rules look like the default firewall on CentOS/RHEL systems, mostly harmless. Some of them are our allow rules that get added during install. Some look unfamiliar (but there may be new stuff in the default CentOS firewall that I haven't looked at lately).
If it is not interfering with services, it's probably not a problem to leave the rules in place. I usually leave the CentOS firewall alone and just open up the ports I need for my services. But, as Eric said, a firewall is less interesting/useful on a server than on a client machine, as most of your active ports have to be open to actually provide service to the world. They only get useful if you have something like a database or other service that you want to be accessible to other servers you control, but not the world at large, for example.
Submitted by nhsitehost on Sun, 08/03/2014 - 15:48 Pro Licensee Comment #5
ok for the life of me i canNOT fid the service that is updating/changing my iptables... maybe you can see something here?
NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:offabrt-ccpp 0:off 1:off 2:off 3:on 4:off 5:on 6:off
abrt-oops 0:off 1:off 2:on 3:on 4:on 5:on 6:off
abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off
bluetooth 0:off 1:off 2:off 3:on 4:on 5:on 6:off
certmonger 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cgconfig 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cgred 0:off 1:off 2:off 3:off 4:off 5:off 6:off
clamd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
dnsmasq 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dovecot 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ebtables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
fail2ban 0:off 1:off 2:on 3:on 4:on 5:on 6:off
firstboot 0:off 1:off 2:off 3:off 4:off 5:off 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
htcacheclean 0:off 1:off 2:off 3:off 4:off 5:off 6:off
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsi 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
kdump 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lookup-domain 0:off 1:off 2:on 3:on 4:off 5:on 6:off
lvm2-monitor 0:off 1:on 2:off 3:off 4:off 5:off 6:off
mailman 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mcelogd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off
named 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpdate 0:off 1:off 2:off 3:off 4:off 5:off 6:off
numad 0:off 1:off 2:off 3:off 4:off 5:off 6:off
oddjobd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postgresql 0:off 1:off 2:on 3:on 4:on 5:on 6:off
proftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
quota_nld 0:off 1:off 2:off 3:off 4:off 5:off 6:off
radvd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rngd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
spamassassin 0:off 1:off 2:on 3:on 4:on 5:on 6:off
spice-vdagentd 0:off 1:off 2:off 3:off 4:off 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
svnserve 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
usermin 0:off 1:off 2:on 3:on 4:off 5:on 6:off
wdaemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off
webmin 0:off 1:off 2:on 3:on 4:off 5:on 6:off
winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
wpa_supplicant 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Submitted by nhsitehost on Sun, 08/03/2014 - 15:50 Pro Licensee Comment #6
i had thought it was
libvirtlibvirt-guests
but
[root@home]# chkconfig libvirt offerror reading information on service libvirt: No such file or directory
Submitted by andreychek on Sun, 08/03/2014 - 16:38 Comment #7
Do you know if you installed any non-default software?
Nothing installed on CentOS by default would do such a thing. I don't see anything in that list which is an obvious culprit.
Some folks install third party tools such as CSF, which can modify firewall rules automatically.
You may want to review your process list, using 'ps auxw', to see if anything there stands out.
Submitted by nhsitehost on Sun, 08/03/2014 - 16:44 Pro Licensee Comment #8
here is my list
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDroot 1 0.0 0.0 19356 1540 ? Ss 15:59 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 15:59 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 15:59 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? S 15:59 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S 15:59 0:00 [migration/0]
root 6 0.0 0.0 0 0 ? S 15:59 0:00 [watchdog/0]
root 7 0.0 0.0 0 0 ? S 15:59 0:00 [events/0]
root 8 0.0 0.0 0 0 ? S 15:59 0:00 [cgroup]
root 9 0.0 0.0 0 0 ? S 15:59 0:00 [khelper]
root 10 0.0 0.0 0 0 ? S 15:59 0:00 [netns]
root 11 0.0 0.0 0 0 ? S 15:59 0:00 [async/mgr]
root 12 0.0 0.0 0 0 ? S 15:59 0:00 [pm]
root 13 0.0 0.0 0 0 ? S 15:59 0:00 [sync_supers]
root 14 0.0 0.0 0 0 ? S 15:59 0:00 [bdi-default]
root 15 0.0 0.0 0 0 ? S 15:59 0:00 [kintegrityd/0]
root 16 0.0 0.0 0 0 ? S 15:59 0:00 [kblockd/0]
root 17 0.0 0.0 0 0 ? S 15:59 0:00 [kacpid]
root 18 0.0 0.0 0 0 ? S 15:59 0:00 [kacpi_notify]
root 19 0.0 0.0 0 0 ? S 15:59 0:00 [kacpi_hotplug]
root 20 0.0 0.0 0 0 ? S 15:59 0:00 [ata_aux]
root 21 0.0 0.0 0 0 ? S 15:59 0:00 [ata_sff/0]
root 22 0.0 0.0 0 0 ? S 15:59 0:00 [ksuspend_usbd]
root 23 0.0 0.0 0 0 ? S 15:59 0:00 [khubd]
root 24 0.0 0.0 0 0 ? S 15:59 0:00 [kseriod]
root 25 0.0 0.0 0 0 ? S 15:59 0:00 [md/0]
root 26 0.0 0.0 0 0 ? S 15:59 0:00 [md_misc/0]
root 27 0.0 0.0 0 0 ? S 15:59 0:00 [linkwatch]
root 28 0.0 0.0 0 0 ? S 15:59 0:00 [khungtaskd]
root 29 0.0 0.0 0 0 ? S 15:59 0:00 [kswapd0]
root 30 0.0 0.0 0 0 ? SN 15:59 0:00 [ksmd]
root 31 0.0 0.0 0 0 ? SN 15:59 0:00 [khugepaged]
root 32 0.0 0.0 0 0 ? S 15:59 0:00 [aio/0]
root 33 0.0 0.0 0 0 ? S 15:59 0:00 [crypto/0]
root 38 0.0 0.0 0 0 ? S 15:59 0:00 [kthrotld/0]
root 40 0.0 0.0 0 0 ? S 15:59 0:00 [kpsmoused]
root 41 0.0 0.0 0 0 ? S 15:59 0:00 [usbhid_resumer]
root 72 0.0 0.0 0 0 ? S 15:59 0:00 [kstriped]
root 144 0.0 0.0 0 0 ? S 15:59 0:00 [scsi_eh_0]
root 145 0.0 0.0 0 0 ? S 15:59 0:00 [scsi_eh_1]
root 216 0.0 0.0 0 0 ? S 15:59 0:00 [hv_vmbus_con/0]
root 217 0.0 0.0 0 0 ? S 15:59 0:00 [hv_vmbus_ctl/0]
root 219 0.0 0.0 0 0 ? S 15:59 0:00 [hv_vmbus_ctl/0]
root 220 0.0 0.0 0 0 ? S 15:59 0:00 [hv_vmbus_ctl/0]
root 222 0.0 0.0 0 0 ? S 15:59 0:00 [hv_vmbus_ctl/0]
root 223 0.0 0.0 0 0 ? S 15:59 0:00 [hv_vmbus_ctl/0]
root 224 0.0 0.0 0 0 ? S 15:59 0:00 [hv_vmbus_ctl/0]
root 225 0.0 0.0 0 0 ? S 15:59 0:00 [hv_vmbus_ctl/0]
root 226 0.0 0.0 0 0 ? S 15:59 0:00 [hv_vmbus_ctl/0]
root 227 0.0 0.0 0 0 ? S 15:59 0:00 [hv_vmbus_ctl/0]
root 238 0.0 0.0 0 0 ? S 15:59 0:00 [scsi_eh_2]
root 239 0.0 0.0 0 0 ? S 15:59 0:00 [scsi_eh_3]
root 272 0.0 0.0 0 0 ? S 15:59 0:00 [kdmflush]
root 274 0.0 0.0 0 0 ? S 15:59 0:00 [kdmflush]
root 291 0.0 0.0 0 0 ? S 15:59 0:00 [jbd2/dm-0-8]
root 292 0.0 0.0 0 0 ? S 15:59 0:00 [ext4-dio-unwrit]
root 383 0.0 0.0 11512 1616 ? S<s 15:59 0:00 /sbin/udevd -d
root 824 0.0 0.0 0 0 ? S 15:59 0:00 [kdmflush]
root 870 0.0 0.0 0 0 ? S 15:59 0:00 [jbd2/sda1-8]
root 871 0.0 0.0 0 0 ? S 15:59 0:00 [ext4-dio-unwrit]
root 872 0.0 0.0 0 0 ? S 15:59 0:00 [jbd2/dm-2-8]
root 873 0.0 0.0 0 0 ? S 15:59 0:00 [ext4-dio-unwrit]
root 950 0.0 0.0 0 0 ? S 15:59 0:00 [kauditd]
root 985 0.0 0.0 0 0 ? S 15:59 0:00 [flush-253:0]
root 986 0.0 0.0 0 0 ? S 15:59 0:00 [flush-253:2]
root 1216 0.0 0.0 27664 856 ? S<sl 15:59 0:00 auditd
root 1218 0.0 0.0 82084 964 ? S<sl 15:59 0:00 /sbin/audispd
root 1219 0.0 0.0 21208 1096 ? S< 15:59 0:00 /usr/sbin/sedispatch
root 1243 0.0 0.0 249092 1676 ? Sl 15:59 0:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
rpc 1290 0.0 0.0 18976 900 ? Ss 15:59 0:00 rpcbind
dbus 1402 0.0 0.0 32208 1700 ? Ssl 15:59 0:00 dbus-daemon --system
root 1413 0.0 0.0 82708 4400 ? Ss 15:59 0:00 NetworkManager --pid-file=/var/run/NetworkManager/NetworkManager.pid
root 1420 0.0 0.0 58064 2436 ? S 15:59 0:00 /usr/sbin/modem-manager
root 1466 0.0 0.0 44976 696 ? Ss 15:59 0:00 /usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -B -u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid
named 1481 0.0 0.2 166276 18876 ? Ssl 15:59 0:00 /usr/sbin/named -u named
rpcuser 1503 0.0 0.0 23348 1348 ? Ss 15:59 0:00 rpc.statd
root 1530 0.0 0.0 189348 3332 ? Ss 15:59 0:00 cupsd -C /etc/cups/cupsd.conf
root 1541 0.0 0.0 4080 640 ? Ss 15:59 0:00 /usr/sbin/acpid
68 1550 0.0 0.0 38744 3652 ? Ssl 15:59 0:00 hald
root 1551 0.0 0.0 20328 1172 ? S 15:59 0:00 hald-runner
root 1594 0.0 0.0 22448 1096 ? S 15:59 0:00 hald-addon-input: Listening on /dev/input/event2 /dev/input/event0
68 1603 0.0 0.0 17936 1036 ? S 15:59 0:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
root 1617 0.0 0.0 452304 3832 ? Ssl 15:59 0:00 automount --pid-file /var/run/autofs.pid
root 1638 0.0 0.0 6776 304 ? Ss 15:59 0:00 /usr/sbin/mcelog --daemon
root 1650 0.0 0.0 66616 1228 ? Ss 15:59 0:00 /usr/sbin/sshd
ntp 1658 0.0 0.0 30720 2128 ? Ss 15:59 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
clam 1666 0.0 3.6 415900 290500 ? Ssl 15:59 0:04 clamd
root 1702 0.0 0.0 108204 1456 ? S 15:59 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
mysql 1837 0.0 1.5 1129412 128560 ? Sl 15:59 0:01 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
postgres 1891 0.0 0.0 216380 5096 ? S 15:59 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
postgres 1893 0.0 0.0 179392 1076 ? Ss 15:59 0:00 postgres: logger process
postgres 1895 0.0 0.0 216380 1544 ? Ss 15:59 0:00 postgres: writer process
postgres 1896 0.0 0.0 216380 1276 ? Ss 15:59 0:00 postgres: wal writer process
postgres 1897 0.0 0.0 216796 1688 ? Ss 15:59 0:00 postgres: autovacuum launcher process
postgres 1898 0.0 0.0 179660 1396 ? Ss 15:59 0:00 postgres: stats collector process
root 1908 0.0 0.0 19268 692 ? Ss 15:59 0:00 /usr/sbin/dovecot
dovecot 1911 0.0 0.0 12988 948 ? S 15:59 0:00 dovecot/anvil
root 1912 0.0 0.0 13112 1068 ? S 15:59 0:00 dovecot/log
root 1920 0.0 0.0 68916 1720 ? Ss 15:59 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root 1922 0.0 0.0 68916 1704 ? S 15:59 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root 1923 0.0 0.0 68916 1700 ? S 15:59 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root 1924 0.0 0.0 68916 1704 ? S 15:59 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root 1925 0.0 0.0 68916 1700 ? S 15:59 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root 1938 0.0 0.6 242432 51852 ? Ss 15:59 0:01 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid
root 1940 0.0 0.6 242432 49632 ? S 16:00 0:00 spamd child
root 1941 0.0 0.6 242432 49632 ? S 16:00 0:00 spamd child
root 2016 0.0 0.0 81296 3408 ? Ss 16:00 0:00 /usr/libexec/postfix/master
postfix 2023 0.0 0.0 81552 3472 ? S 16:00 0:00 qmgr -l -t fifo -u
nobody 2027 0.0 0.0 152532 1772 ? Ss 16:00 0:00 proftpd: (accepting connections)
root 2049 0.0 0.0 110320 908 ? Ss 16:00 0:00 /usr/sbin/abrtd
root 2057 0.0 0.0 108204 836 ? Ss 16:00 0:00 abrt-dump-oops -d /var/spool/abrt -rwx /var/log/messages
root 2063 0.0 0.0 0 0 ? S 16:00 0:00 [hv_vmbus_ctl/0]
root 2069 0.0 0.2 397600 20612 ? Ss 16:00 0:00 /usr/sbin/httpd
apache 2077 0.0 0.0 261140 6516 ? S 16:00 0:00 /usr/sbin/httpd
root 2078 0.0 0.0 117332 1452 ? Ss 16:00 0:01 crond
root 2087 0.0 0.1 427108 9184 ? Sl 16:00 0:01 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x
apache 2117 0.0 0.1 384672 10572 ? S 16:00 0:00 /usr/sbin/httpd
apache 2118 0.0 0.1 402912 15332 ? S 16:00 0:00 /usr/sbin/httpd
apache 2119 0.0 0.1 398552 13668 ? S 16:00 0:00 /usr/sbin/httpd
apache 2120 0.0 0.1 402944 15312 ? S 16:00 0:00 /usr/sbin/httpd
apache 2121 0.0 0.1 398344 14240 ? S 16:00 0:00 /usr/sbin/httpd
apache 2122 0.0 0.1 398352 13540 ? S 16:00 0:00 /usr/sbin/httpd
apache 2123 0.0 0.1 398372 13596 ? S 16:00 0:00 /usr/sbin/httpd
apache 2124 0.0 0.1 398444 14344 ? S 16:00 0:00 /usr/sbin/httpd
apache 2125 0.0 0.1 398348 13556 ? S 16:00 0:00 /usr/sbin/httpd
root 2126 0.0 0.0 21540 480 ? Ss 16:00 0:00 /usr/sbin/atd
mailman 2136 0.0 0.1 206052 8300 ? Ss 16:00 0:00 /usr/bin/python /usr/lib/mailman/bin/mailmanctl -s -q start
mailman 2137 0.0 0.1 208272 11108 ? S 16:00 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
mailman 2138 0.0 0.1 208344 11160 ? S 16:00 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
mailman 2139 0.0 0.1 208264 11112 ? S 16:00 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
mailman 2140 0.0 0.1 208272 11108 ? S 16:00 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
mailman 2141 0.0 0.1 208256 11192 ? S 16:00 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
mailman 2142 0.0 0.1 208308 11228 ? S 16:00 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
mailman 2143 0.0 0.1 208280 11124 ? S 16:00 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
mailman 2144 0.0 0.1 208352 11112 ? S 16:00 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
root 2159 0.0 0.0 62352 608 ? Ss 16:00 0:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid
root 2174 0.0 0.6 188088 54492 ? Ss 16:00 0:00 /usr/libexec/webmin/virtual-server/lookup-domain-daemon.pl
root 2237 0.0 0.2 87556 16468 ? Ss 16:00 0:00 /usr/bin/perl /usr/libexec/usermin/miniserv.pl /etc/usermin/miniserv.conf
root 2426 0.0 0.7 139000 64064 ? Ss 16:00 0:00 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf
root 2429 0.0 0.0 133936 2168 ? Ssl 16:00 0:00 /usr/sbin/gdm-binary -nodaemon
root 2434 0.0 0.0 4064 532 tty2 Ss+ 16:00 0:00 /sbin/mingetty /dev/tty2
root 2436 0.0 0.0 4064 536 tty3 Ss+ 16:00 0:00 /sbin/mingetty /dev/tty3
root 2438 0.0 0.0 4064 532 tty4 Ss+ 16:00 0:00 /sbin/mingetty /dev/tty4
root 2440 0.0 0.0 4064 536 tty5 Ss+ 16:00 0:00 /sbin/mingetty /dev/tty5
root 2442 0.0 0.0 4064 536 tty6 Ss+ 16:00 0:00 /sbin/mingetty /dev/tty6
root 2453 0.0 0.0 12568 2860 ? S< 16:00 0:00 /sbin/udevd -d
root 2454 0.0 0.0 12564 2796 ? S< 16:00 0:00 /sbin/udevd -d
root 2510 0.0 0.0 164568 3036 ? Sl 16:00 0:00 /usr/libexec/gdm-simple-slave --display-id /org/gnome/DisplayManager/Display1 --force-active-vt
root 2534 0.0 0.2 163024 20676 tty1 Ss+ 16:00 0:00 /usr/bin/Xorg :0 -nr -verbose -audit 4 -auth /var/run/gdm/auth-for-gdm-fzOPM4/database -nolisten tcp vt1
root 2681 0.0 0.0 577532 3240 ? Sl 16:00 0:00 /usr/sbin/console-kit-daemon --no-daemon
gdm 2787 0.0 0.0 20040 632 ? S 16:00 0:00 /usr/bin/dbus-launch --exit-with-session
gdm 2799 0.0 0.0 31780 1192 ? Ssl 16:00 0:00 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
gdm 2801 0.0 0.0 269112 7852 ? Ssl 16:00 0:00 /usr/bin/gnome-session --autostart=/usr/share/gdm/autostart/LoginWindow/
root 2806 0.0 0.0 49832 2624 ? S 16:00 0:00 /usr/libexec/devkit-power-daemon
gdm 2811 0.0 0.0 133500 5552 ? S 16:00 0:00 /usr/libexec/gconfd-2
gdm 2851 0.0 0.0 120328 4420 ? S 16:00 0:00 /usr/libexec/at-spi-registryd
gdm 2875 0.0 0.1 351124 12832 ? Ssl 16:00 0:00 /usr/libexec/gnome-settings-daemon --gconf-prefix=/apps/gdm/simple-greeter/settings-manager-plugins
gdm 2892 0.0 0.0 303208 2972 ? Ssl 16:00 0:00 /usr/libexec/bonobo-activation-server --ac-activate --ior-output-fd=12
525 2939 0.4 0.9 283936 72876 ? S 16:00 0:21 /usr/bin/php-cgi
gdm 2954 0.0 0.0 135112 1888 ? S 16:00 0:00 /usr/libexec/gvfsd
gdm 2989 0.0 0.1 289340 9864 ? S 16:00 0:00 metacity
gdm 3025 0.0 0.1 273784 8616 ? S 16:00 0:00 gnome-power-manager
gdm 3035 0.0 0.0 248364 7380 ? S 16:00 0:00 /usr/libexec/polkit-gnome-authentication-agent-1
gdm 3041 0.0 0.1 384884 15860 ? S 16:00 0:00 /usr/libexec/gdm-simple-greeter
root 3062 0.0 0.0 52512 4188 ? S 16:00 0:00 /usr/libexec/polkit-1/polkitd
gdm 3073 0.0 0.0 346200 2852 ? S<sl 16:00 0:00 /usr/bin/pulseaudio --start --log-target=syslog
rtkit 3075 0.0 0.0 168456 1188 ? SNl 16:00 0:00 /usr/libexec/rtkit-daemon
root 3177 0.0 0.0 142040 2080 ? S 16:00 0:00 pam: gdm-password
root 3190 0.0 0.0 100368 4368 ? Ss 16:00 0:00 sshd: root@notty
root 3195 0.0 0.0 57828 2356 ? Ss 16:00 0:00 /usr/libexec/openssh/sftp-server
nyccuser 3208 0.0 0.4 241276 34936 ? S 16:00 0:03 /usr/bin/php-cgi
postfix 3396 0.0 0.0 81376 3320 ? S 16:01 0:00 pickup -l -t fifo -u
root 4023 0.0 0.0 100368 4356 ? Ss 16:01 0:00 sshd: root@notty
root 4154 0.0 0.0 57688 2264 ? Ss 16:01 0:00 /usr/libexec/openssh/sftp-server
533 4359 0.0 0.5 253364 46604 ? S 16:01 0:00 /usr/bin/php-cgi
533 4425 0.0 0.6 267460 56056 ? S 16:01 0:00 /usr/bin/php-cgi
apache 4846 0.0 0.1 398460 13576 ? S 16:01 0:00 /usr/sbin/httpd
525 4847 0.3 0.9 287248 76124 ? S 16:01 0:17 /usr/bin/php-cgi
rmccfei 5113 0.0 0.5 344348 40872 ? S 16:02 0:03 /usr/bin/php-cgi
507 5375 0.0 0.1 222628 15468 ? S 16:03 0:00 /usr/bin/php-cgi
internal 5681 0.0 0.3 237332 30692 ? S 16:04 0:02 /usr/bin/php-cgi
apache 6710 0.0 0.1 398272 13468 ? S 16:09 0:00 /usr/sbin/httpd
apache 7050 0.0 0.1 398512 13596 ? S 16:10 0:00 /usr/sbin/httpd
root 7088 0.0 0.0 100368 4348 ? Ss 16:11 0:00 sshd: root@pts/0
root 7095 0.0 0.0 108340 1832 pts/0 Ss 16:11 0:00 -bash
apache 7838 0.0 0.1 402880 15328 ? S 16:13 0:00 /usr/sbin/httpd
nyccuser 8911 0.0 0.3 235856 29348 ? S 16:16 0:02 /usr/bin/php-cgi
517 9188 0.0 0.5 247768 40860 ? S 16:18 0:01 /usr/bin/php-cgi
rti_ctrl 11888 0.0 0.1 220448 12292 ? S 16:34 0:00 /usr/bin/php-cgi
postfix 12416 0.0 0.0 98816 4788 ? S 16:36 0:00 smtpd -n smtp -t inet -u -o stress= -s 2 -o smtpd_sasl_auth_enable=yes
postfix 12418 0.0 0.0 81368 3368 ? S 16:36 0:00 anvil -l -t unix -u
apache 13352 0.0 0.1 398220 13396 ? S 16:44 0:00 /usr/sbin/httpd
apache 13357 0.0 0.1 398196 13364 ? S 16:44 0:00 /usr/sbin/httpd
apache 13358 0.0 0.1 398336 13484 ? S 16:44 0:00 /usr/sbin/httpd
postfix 14467 0.0 0.0 98816 4784 ? S 16:49 0:00 smtpd -n smtp -t inet -u -o stress= -s 2 -o smtpd_sasl_auth_enable=yes
513 14928 0.2 0.3 333712 30836 ? S 16:51 0:04 /usr/bin/php-cgi
dovecot 15122 0.0 0.0 76636 2748 ? S 16:52 0:00 dovecot/auth
root 15123 0.0 0.0 76636 2864 ? S 16:52 0:00 dovecot/auth -w
root 19420 0.0 0.0 0 0 ? S 17:14 0:00 [flush-8:0]
root 19645 19.5 1.7 423276 142296 ? Sl 17:16 0:03 /usr/bin/python -Es /usr/sbin/setroubleshootd -f
root 20115 0.0 0.0 110240 1136 pts/0 R+ 17:16 0:00 ps auxw
Submitted by nhsitehost on Sun, 08/03/2014 - 16:55 Pro Licensee Comment #9
coud it be one of these?
Installed Packageskmod-microsoft-hyper-v.x86_64 rhel63.3.4-1.20120727 installed
xorg-x11-drv-hyperpen.x86_64 1.4.1-4.el6 @anaconda-CentOS-201311272149.x86_64/6.5
Available Packages
hypervkvpd.x86_64 0-0.12.el6 base
[root@centos6 ~]#
Submitted by andreychek on Sun, 08/03/2014 - 16:56 Comment #10
Ah, it looks like you're running a desktop version of CentOS, and there's a number of processes running that I'm not familiar with.
However, of what I see, my best guess is that it may be related to Fail2ban.
Could you try disabling that, and see if the rules stop being modified?
Submitted by nhsitehost on Sun, 08/03/2014 - 17:00 Pro Licensee Comment #11
nope def NOT Fail2Ban turned it off, update iptables to default, few seconds later they were all back....
i think it has something to do with kmod-microsoft-hyper-v.x86_64
this is a VM running on server 2012
Submitted by andreychek on Sun, 08/03/2014 - 17:16 Comment #12
I haven't used Microsoft Hyper-V previously, and hadn't attempted running any VM's within it. However, Googling that particular package name, it appears that all it does is provide a set of kernel modules that enables Linux to run as a Hyper-V VPS guest.
Typically, kernel modules don't add firewall rules, though I suppose that it's technically possible.
I suspect that the culprit is elsewhere though, as there wouldn't be a simple way to configure those kernel modules with what firewall parameters to use.