# kernel module auto-load of net-pf-2-proto-17-type-1 ??

## Philippe23

I've been getting messages like this in my logs for a little while now.

 *Quote:*   

> Jun 16 09:16:06 localhost kernel: [4307269.978879] grsec: From 119.63.196.20: denied kernel module auto-load of net-pf-2-proto-17-type-1 by /usr/sbin/apache2[apache2:1407] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:14996] uid/euid:0/0 gid/egid:0/0

 

119.63.196.20 looks like it is a Baidu Search Engine Spider IP.

What would be triggering this, what exactly is apache trying to load (PF 2, PROTO 17 is UDP).  Is there any danger in this?  If this is just UDP and is harmless, any idea which kernel option builds this in?

----------

## neofutur

 *Philippe23 wrote:*   

> I've been getting messages like this in my logs for a little while now.
> 
>  *Quote:*   Jun 16 09:16:06 localhost kernel: [4307269.978879] grsec: From 119.63.196.20: denied kernel module auto-load of net-pf-2-proto-17-type-1 by /usr/sbin/apache2[apache2:1407] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:14996] uid/euid:0/0 gid/egid:0/0 
> 
> 119.63.196.20 looks like it is a Baidu Search Engine Spider IP.
> ...

 

I d also be happy to get a definitive answer on this, couldnt find any way to stop apache to try to load ipv6 every 2 seconds

the answer from http://httpd.apache.org/docs/current/bind.html#ipv6

is just not working here, still getting :

 *Quote:*   

> Oct 27 22:04:35 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
> 
> Oct 27 22:04:37 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
> 
> Oct 27 22:04:38 x kernel: grsec: denied kernel module auto-load of ipv6 by uid 81
> ...

 

nearly one / second . . .

----------

## neofutur

 *neofutur wrote:*   

> 
> 
> the answer from http://httpd.apache.org/docs/current/bind.html#ipv6
> 
> is just not working here, still getting :
> ...

 

since the main danger here is overloading your server with too many log messages ( and yes this is is a possible DOS/DDOS against anyone not allowing ipv6 ) concerning the war between me/grsec and silly apache , I finally edited the syslog-ng filter for grsec :

from

```
#filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };
```

to

```
filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*") and not message(".*ipv6.*"); };
```

hopes this help , feel free to suggest a better syslog-ng filter please  :Wink: 

I hate ignoring logs, but this one really exploded the loadavg on my server

also i m ready to try whatever apache config trick you could suggest to have this bitch stop trying to load ipv6 module ( but I already tried every answer i could find on the internet  :Wink:  ).

( i wish apache had a use flag -ipv6 )

----------

