Hi, Thanks for the help on this! I found the problem is this web server was intended for use by my family only, not the whole world which appears to have found it. Checking the apache logs I found much more activity than it should be getting. Now I have a new project, to figure out how to limit usage to only those that I want. Thanks again for the help!! John -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Steve Phillips Sent: Wednesday, June 24, 2009 7:28 PM To: General Red Hat Linux discussion list Subject: Re: Identifying and Stopping Unwanted Net Traffic On Thu, Jun 25, 2009 at 8:40 AM, Krautkramer, John < John.Krautkramer@xxxxxxxxxx> wrote: > Hi, > > Yes you are correct in that I am running a web server. I just caught the > machine acting up again and this is what "netstat -tpn" gives me: > > newdelli 69: netstat -tpn > (Not all processes could be identified, non-owned process info > will not be shown, you would have to be root to see it all.) > Active Internet connections (w/o servers) > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 0 192.168.1.41:46541 85.17.35.51:80 > ESTABLISHED 3075/firefox-bin > tcp 0 129720 192.168.1.41:8080 65.218.208.2:54343 > ESTABLISHED - > tcp 0 37856 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49754 ESTABLISHED - > tcp 0 25688 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49752 ESTABLISHED - > tcp 0 31096 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49758 ESTABLISHED - > tcp 0 14872 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49756 ESTABLISHED - > tcp 0 27040 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49746 ESTABLISHED - > tcp 0 35152 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49744 ESTABLISHED - > tcp 0 20280 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49750 ESTABLISHED - > tcp 0 784 ::ffff:192.168.1.41:22 > ::ffff:65.218.208.2:21290 ESTABLISHED - > tcp 0 17576 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49768 ESTABLISHED - > tcp 0 24336 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49762 ESTABLISHED - > tcp 0 18928 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49760 ESTABLISHED - > tcp 0 27040 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49766 ESTABLISHED - > tcp 0 22984 ::ffff:192.168.1.41:80 > ::ffff:76.67.226.234:49764 ESTABLISHED - > tcp 0 0 ::ffff:192.168.1.41:80 > ::ffff:212.200.38.150:3112 TIME_WAIT - > tcp 0 0 ::ffff:192.168.1.41:80 > ::ffff:212.200.38.150:3107 TIME_WAIT - > tcp 0 0 ::ffff:192.168.1.41:80 > ::ffff:212.200.38.150:3097 TIME_WAIT - > tcp 0 0 ::ffff:192.168.1.41:80 > ::ffff:212.200.38.150:3102 TIME_WAIT - > tcp 0 0 ::ffff:192.168.1.41:80 > ::ffff:212.200.38.150:3088 TIME_WAIT - > tcp 0 0 ::ffff:192.168.1.41:80 > ::ffff:212.200.38.150:3093 TIME_WAIT - > tcp 0 0 ::ffff:192.168.1.41:80 > ::ffff:212.200.38.150:3082 TIME_WAIT - > tcp 0 0 ::ffff:192.168.1.41:80 > ::ffff:212.200.38.150:3073 TIME_WAIT - > tcp 0 0 ::ffff:192.168.1.41:80 > ::ffff:212.200.38.150:3078 TIME_WAIT - > > The only program listed is firefox which I know is running on the > machine at the moment. The rest doesn't show any program. Does this mean > those connections were initiated from outside of the box? If that's the > case, then I need to find what these outside machines are getting to and > block it some how. If you are running a web server then it is probably safe to assume that these connections are being initiated from outside and connecting back into your web server on port 80. Netstat does not tend to show which side did the initiating, but rather, the current connection list. It also doesnt say what is so popular on your web server that is causing these people to connect. For that you would need to look at your apache logs (or the logs for the web server you run if its not apache) and try and find out what people are finding so interesting. an easy way to do this would be something similar # netstat -an <-- find an IP address connecting to the web server . tcp 0 24336 ::ffff:192.168.1.41:80 <http://192.168.1.41/> ::ffff:76.67.226.234:49762 ESTABLISHED - . etc # cd /path/to/webserver/logs # grep "76.67.226.234" access_log 76.67.226.234 - - [24/Jun/2009:20:06:09 -0500] "GET /reallybigiso.iso HTTP/1.1" 200 1000000000 This will tell you that there is someone transfering a file called reallybigiso.iso from your webroot based on this, you might find a pattern (someone might have found a pretty picture they like and linked it to 398274987324 myspace sites) and then you can decide what to do from there. > > As pointed out above, the port through which the connections are made is > 80. I don't know what I would to do eliminate this since I need port 80 > for my web server to function. > > The IP addresses causing the problem have again changed. If its people randomly visiting your web server then this is entirely expected behaviour. -- Steve. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
