|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
netstat shows strange output
Date: Sun Jan 06 2008 - 14:36:26 EST
netstat | grep www | wc -l
1138
I was seeing lots of 'SYN_RECV' on port 80 coming from one host. I've tried the following iptables rules (from iptables-save). Kind of a mess, as I've been trying multiple things to solve this problem.
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
I also disabled ipv6, which I was seeing a lot of from this host.
I am now seeing a lot of entries like this:
tcp 0 0 192.168.1.240:www ba.2c.5646.static:34884
FIN_WAIT2
tcp 0 0 192.168.1.240:www ba.2c.5646.static:33860
FIN_WAIT2
tcp 0 0 192.168.1.240:www ba.2c.5646.static:33863
FIN_WAIT2
tcp 1 0 192.168.1.240:www ba.2c.5646.static:44103
CLOSE_WAIT
tcp 0 0 192.168.1.240:www ba.2c.5646.static:57671
ESTABLISHED
tcp 0 0 192.168.1.240:www ba.2c.5646.static:57927
FIN_WAIT2
tcp 0 0 192.168.1.240:www ba.2c.5646.static:57926
FIN_WAIT2
tcp 0 0 192.168.1.240:www ba.2c.5646.static:58489
FIN_WAIT2
tcp 1 0 192.168.1.240:www ba.2c.5646.static:57465
CLOSE_WAIT
tcp 0 0 192.168.1.240:www ba.2c.5646.static:50041
FIN_WAIT2
tcp 0 0 192.168.1.240:www ba.2c.5646.static:48251
FIN_WAIT2
tcp 1 0 192.168.1.240:www ba.2c.5646.static:44155
CLOSE_WAIT
tcp 0 0 192.168.1.240:www ba.2c.5646.static:55675
FIN_WAIT2
tcp 1 0 192.168.1.240:www ba.2c.5646.static:41850
CLOSE_WAIT
tcp 0 0 192.168.1.240:www ba.2c.5646.static:55674
FIN_WAIT2
tcp 1 0 192.168.1.240:www ba.2c.5646.static:44413
CLOSE_WAIT
tcp 0 0 192.168.1.240:www ba.2c.5646.static:59517
ESTABLISHED
tcp 1 0 192.168.1.240:www ba.2c.5646.static:44401
CLOSE_WAIT
I've blocked this IP (resolves to 18255.com) on this machine using
iptables -I INPUT -s 66.116.125.131 -j DROP
This doesn't work, so perhaps it's a spoofed IP? *shrugs*
Any help would be appreciated, this is causing a bit of strain on my web server. :/
-Will
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Received on Sun Jan 6 14:36:42 2008
This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:55:01 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |