PDA

View Full Version : [warn] (95)Operation not supported: setsockopt: (TCP_NODELAY



skywriter
02-02-2004, 04:03 PM
I get the following in my error logs...

[warn] (95)Operation not supported: setsockopt: (TCP_NODELAY)

...from time to time. I generally get this "warning"? in clusters... a few times in a row with very short time intervals between, but occasionally get quite a large number of them.

Can anyone provide some insight as to what it means and also what causes it? I find no correlation to information in my access or mail logs, nor have I been able to "make it happen" on purpose.

Thanks.

jalal
02-03-2004, 07:14 AM
I asked Westhost about this and they said that it is not a problem.

It is a bit annoying tho...

:(

skywriter
02-03-2004, 02:30 PM
jalal wrote: I asked Westhost about this and they said that it is not a problem. It is a bit annoying tho...


Thanks for the Reply. But I'd really like to know more about what's going on here. Is this a 'visiting' computer contacting mine (West Host's) and asking it to perform an operation that's not supported, or West Host's contacting the visitor's computer and that computer doesn't support the setsockopt operation, or what?

I kind of figured by the [warn] part of the message that it's nothing to be greatly concerned about, but I am curious about it... and it sure shows up in my logs in the weirdest fashion sometimes. A few days ago, I must have gotten a couple hundred entries over a 5 or 6 minute period.

wildjokerdesign
02-03-2004, 04:44 PM
http://linuxselfhelp.com/apache/manual/misc/FAQ.html#nodelay
This one had to do with "httpd: could not set socket option TCP_NODELAY" showing up in error log. In this case it was because the client had disconnected before Apache reache the point of calling setsocketopt() so wonder if this one is similiar. Could it maybe have something to do with spiders coming through the site?

I did see the answer while there that I had always wondered about. I used to see entries in my error log about derault.ida and cmd.exe. I had asked WH about it and got the reply Jalal did about this that it was nothing to be concerned about. They are correct. Here is the answer that Apache gives to this:


Why do I have weird entries in my logs asking for default.ida and cmd.exe?
The host requesting pages from your website and creating those entries is a Windows machine running IIS that has been infected by an Internet worm such as Nimda or Code Red. You can safely ignore these error messages as they do not affect Apache.

They also gave a link to an article on it if anyone would like to read it.
http://www.apacheweek.com/features/codered
That links to the Apache Newletter site and it may be worth keeping that one bookmarked. Right now I am looking through them to see if there is any mention of this... but there are alot of them.

skywriter
02-03-2004, 05:32 PM
wildjokerdesign wrote:
-----------------------------
http://linuxselfhelp.com/apache/manual/misc/FAQ.html#nodelay
This one had to do with "httpd: could not set socket option TCP_NODELAY" showing up in error log. In this case it was because the client had disconnected before Apache reache the point of calling setsocketopt() so wonder if this one is similiar. Could it maybe have something to do with spiders coming through the site?
-----------------------------

Thanks for the Reply. I also found the referenced explanation you mention, but to me it didn't quite fit (at that time). I suppose if it was a spider that was blocked before it made a call of any web pages or files that would explain no corresponding entries in my access logs. And while I've seen some persistent bots and probes, but none like this. I have one instance from about a week ago where this error is listed 340 times in the error log in 1.5 minutes.

Hmmm... checking back in my error logs I don't have any of these entried prior to middle of November. I added an .htaccess file about that time that does do some bot blocking. I also started doing some IP filtering (blocking) at about the same time. So maybe there is some sort of correlation there.

wildjokerdesign
02-03-2004, 05:41 PM
I keep trying to find a page on the net that well list all the log errors and what they mean but can not seem to find one. Perhaps I am asking to much or simply searching for the wrong thing. :) Hmm... perhaps I should give this up they do say that "Curiosity killed the cat".

jalal
02-04-2004, 03:21 AM
http://linuxselfhelp.com/apache/manual/misc/FAQ.html#nodelay
This one had to do with "httpd: could not set socket option TCP_NODELAY" showing up in error log. In this case it was because the client had disconnected before Apache reache the point of calling setsocketopt() so wonder if this one is similiar. Could it maybe have something to do with spiders coming through the site?

From their description on the page, it also sounds like an error that could be triggered by a port scanner. Port scanners are used to find open, unprotected ports on servers prior to attempting entry (they also have legitimate uses, I might add) and sometimes make a request and then disconnect straight away.

Just a possibility...

On another theme of this thread... concerning requests for 'cmd.exe' or 'default.ida' and other stuff. I also take care of a site on a Windows server and looking through the logs there is quite worrying. There are hundreds of probes a day for 'cmd.exe' and various other possible compromises. When a new worm is doing the rounds, hundreds an hour. It seems not to happen to Westhost servers as much and I wonder if the various probes, such as the error that started this thread, are enough to warn kiddies that this is Linux and not open to attack.
:?: