PDA

Click to See Complete Forum and Search --> : What the hell is all of this??? netstat -a output

Bowtie
04-06-2006, 01:43 PM
I have an apache web server running with a phpbb message board for myself and my friends. I've been noticing that the server has been lagging lately so I did top and saw that perl was using about 99% cpu......so I killed it and things went back to normal. I don't know if there is a way to check what that particular instance of perl is doing or not, so I killed it like I said earlier. Next, I did a netstat -a and got the results below. I know there are some services I need to kill (I saw sunrpc for example). I guess my basic question is how do I block the (I'm assuming) bots and such (whatever atlas.f2k-server.org:59206 could be)??? I've got robots.txt setup in the document root directory. Any suggestions??





Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 localhost.localdomain:ipp *:* LISTEN
tcp 0 0 localhost.localdomain:smtp *:* LISTEN
tcp 0 0 *:700 *:* LISTEN
tcp 483 0 192.168.0.100:http f2.c3.5546.static.the:36839 CLOSE_WAIT
tcp 0 0 192.168.0.100:3819 64.233.167.147:http ESTABLISHED
tcp 0 0 192.168.0.100:3832 64.233.167.147:http ESTABLISHED
tcp 0 0 192.168.0.100:3828 64.233.167.147:http ESTABLISHED
tcp 391 0 192.168.0.100:http adsl-71-156-64-209.dsl:1886 CLOSE_WAIT
tcp 477 0 localhost.localdomain:http localhost.localdomain:3840 CLOSE_WAIT
tcp 764 0 192.168.0.100:http cpe-24-174-43-74.hous:19555 CLOSE_WAIT
tcp 0 475 192.168.0.100:3383 hu-triton.com:http FIN_WAIT1
tcp 476 0 localhost.localdomain:http localhost.localdomain:1793 CLOSE_WAIT
tcp 481 0 localhost.localdomain:http localhost.localdomain:4289 CLOSE_WAIT
tcp 0 0 192.168.0.100:3842 64.233.167.147:http ESTABLISHED
tcp 0 477 192.168.0.100:3327 ns1.accuratewebhosting:http FIN_WAIT1
tcp 0 479 192.168.0.100:3251 srv07.arkwebs7.com:http FIN_WAIT1
tcp 291 0 192.168.0.100:http crawl-66-249-66-16.go:35925 CLOSE_WAIT
tcp 0 475 192.168.0.100:3541 ev1s-67-15-0-76.ev1ser:http FIN_WAIT1
tcp 477 0 localhost.localdomain:http localhost.localdomain:3794 CLOSE_WAIT
tcp 483 0 192.168.0.100:http p15192576.pureserver.:55449 CLOSE_WAIT
tcp 291 0 192.168.0.100:http crawl-66-249-66-16.go:50085 CLOSE_WAIT
tcp 0 467 192.168.0.100:3333 secure.chikiraserver.c:http FIN_WAIT1
tcp 0 0 192.168.0.100:3782 69.25.142.6:http TIME_WAIT
tcp 0 13140 192.168.0.100:http cpe-70-114-144-230.ho:24596 CLOSE_WAIT
tcp 291 0 192.168.0.100:http crawl-66-249-66-16.go:43876 CLOSE_WAIT
tcp 481 0 localhost.localdomain:http localhost.localdomain:2515 CLOSE_WAIT
tcp 0 481 192.168.0.100:3523 secure.chikiraserver.c:http FIN_WAIT1
tcp 477 0 localhost.localdomain:http localhost.localdomain:4531 CLOSE_WAIT
tcp 1 484 192.168.0.100:3508 canberra.soho.aussiehq:http CLOSING
tcp 0 0 192.168.0.100:3697 69.25.142.6:http TIME_WAIT
tcp 0 480 192.168.0.100:3198 ev1s-67-15-125-38.ev1s:http FIN_WAIT1
tcp 0 480 192.168.0.100:3194 ev1s-67-15-125-38.ev1s:http FIN_WAIT1
tcp 391 0 192.168.0.100:http adsl-71-156-64-209.dsl:2378 CLOSE_WAIT
tcp 483 0 192.168.0.100:http u15156495.onlinehome-:56614 CLOSE_WAIT
tcp 0 478 192.168.0.100:3645 ev1s-67-15-182-15.ev1s:http FIN_WAIT1
tcp 483 0 192.168.0.100:http cpe-24-165-223-104.mi:61722 CLOSE_WAIT
tcp 0 0 192.168.0.100:3834 64.233.167.104:http ESTABLISHED
tcp 0 480 192.168.0.100:3225 ev1s-67-15-125-38.ev1s:http FIN_WAIT1
tcp 483 0 192.168.0.100:http h51n1c1o253.bredband.:63071 CLOSE_WAIT
tcp 481 0 localhost.localdomain:http localhost.localdomain:4933 CLOSE_WAIT
tcp 0 477 192.168.0.100:3340 cpanel5.fuitadnet.com:http FIN_WAIT1
tcp 477 0 localhost.localdomain:http localhost.localdomain:3701 CLOSE_WAIT
tcp 0 0 192.168.0.100:3844 64.233.167.104:http ESTABLISHED
tcp 0 0 192.168.0.100:3846 64.233.167.104:http ESTABLISHED
tcp 0 0 192.168.0.100:3843 64.233.167.104:http ESTABLISHED
tcp 0 0 192.168.0.100:3853 64.233.167.104:http ESTABLISHED
tcp 767 0 192.168.0.100:http cpe-70-114-144-230.ho:33954 CLOSE_WAIT
tcp 0 0 192.168.0.100:3848 64.233.167.104:http ESTABLISHED
tcp 291 0 192.168.0.100:http crawl-66-249-66-16.go:41298 CLOSE_WAIT
tcp 483 0 192.168.0.100:http omega.sitelutions.com:54451 CLOSE_WAIT
tcp 767 0 192.168.0.100:http dialup-216-12-217-29.e:1073 CLOSE_WAIT
tcp 477 0 localhost.localdomain:http localhost.localdomain:3781 CLOSE_WAIT
tcp 483 0 192.168.0.100:http 212.64-5-48.reverse.t:56711 CLOSE_WAIT
tcp 0 471 192.168.0.100:3778 hurricane.xssl.net:http FIN_WAIT1
tcp 484 0 192.168.0.100:http NS1.pinnaclehost.net:47067 CLOSE_WAIT
tcp 291 0 192.168.0.100:http crawl-66-249-66-16.go:53970 CLOSE_WAIT
tcp 477 0 localhost.localdomain:http localhost.localdomain:4485 CLOSE_WAIT
tcp 0 473 192.168.0.100:3628 ev1s-67-15-45-22.ev1se:http FIN_WAIT1
tcp 0 488 192.168.0.100:3812 achilles.diywebhosting:http ESTABLISHED
tcp 0 485 192.168.0.100:3384 themarriagebed.com:http FIN_WAIT1
tcp 0 473 192.168.0.100:3706 ev1s-67-15-45-22.ev1se:http FIN_WAIT1
tcp 0 489 192.168.0.100:3734 achilles.diywebhosting:http FIN_WAIT1
tcp 483 0 192.168.0.100:http engagebsd1.engageit.n:52664 CLOSE_WAIT
tcp 291 0 192.168.0.100:http crawl-66-249-66-16.go:41681 CLOSE_WAIT
tcp 483 0 192.168.0.100:http powerstarpro.com:53741 CLOSE_WAIT
tcp 483 0 192.168.0.100:http atlas.f2k-server.org:59206 CLOSE_WAIT
tcp 483 0 192.168.0.100:http fly.lehost.net:35539 CLOSE_WAIT
tcp 764 0 192.168.0.100:http cpe-24-174-43-74.hous:19684 CLOSE_WAIT
tcp 0 478 192.168.0.100:3505 pro20.msshost.com:http FIN_WAIT1
tcp 477 0 localhost.localdomain:http localhost.localdomain:4135 CLOSE_WAIT
tcp 353 0 192.168.0.100:http c-24-99-164-186.hsd1.g:2137 CLOSE_WAIT
tcp 483 0 192.168.0.100:http cookis.efnet.co.kr:4443 CLOSE_WAIT
tcp 481 0 localhost.localdomain:http localhost.localdomain:3127 CLOSE_WAIT
tcp 353 0 192.168.0.100:http c-24-99-164-186.hsd1.g:2121 CLOSE_WAIT
tcp 767 0 192.168.0.100:http dialup-216-12-216-53.e:1050 CLOSE_WAIT
tcp 477 0 localhost.localdomain:http localhost.localdomain:2519 CLOSE_WAIT
tcp 483 0 192.168.0.100:http server5.techscape5.co:50225 CLOSE_WAIT
tcp 0 1 192.168.0.100:3758 gen033.n002.c03.escape:http SYN_SENT
tcp 481 0 localhost.localdomain:http localhost.localdomain:2664 CLOSE_WAIT
tcp 0 0 192.168.0.100:3856 96.138.33.65.cfl.res.r:http ESTABLISHED
tcp 482 0 192.168.0.100:http 210.69-93-186.reverse:41310 CLOSE_WAIT
tcp 483 0 192.168.0.100:http p15192576.pureserver.:58051 CLOSE_WAIT
tcp 291 0 192.168.0.100:http crawl-66-249-66-16.go:62734 CLOSE_WAIT
tcp 481 0 localhost.localdomain:http localhost.localdomain:3881 CLOSE_WAIT
tcp 291 0 192.168.0.100:http crawl-66-249-66-16.go:52414 CLOSE_WAIT
tcp 481 0 localhost.localdomain:http localhost.localdomain:1161 CLOSE_WAIT
tcp 0 1 192.168.0.100:3875 core-04-gig-hz-146.hos:http SYN_SENT
tcp 291 0 192.168.0.100:http crawl-66-249-66-16.go:52013 CLOSE_WAIT
tcp 477 0 localhost.localdomain:http localhost.localdomain:3802 CLOSE_WAIT
tcp 316 0 192.168.0.100:http host-216-153-200-174.:57094 CLOSE_WAIT
tcp 477 0 localhost.localdomain:http localhost.localdomain:2538 CLOSE_WAIT
tcp 291 0 192.168.0.100:http crawl-66-249-66-16.go:62653 CLOSE_WAIT
tcp 0 482 192.168.0.100:3378 host1.obuweb.com:http FIN_WAIT1
tcp 483 0 192.168.0.100:http 69.72.250.250:51888 CLOSE_WAIT
tcp 483 0 192.168.0.100:http 83.219.88.102:41074 CLOSE_WAIT
tcp 483 0 192.168.0.100:http iridium.burstfire.net.:4846 CLOSE_WAIT
tcp 477 0 localhost.localdomain:http localhost.localdomain:3627 CLOSE_WAIT
tcp 483 0 192.168.0.100:http mye3.propagation.net:59088 CLOSE_WAIT
tcp 391 0 192.168.0.100:http adsl-71-156-64-209.dsl:2501 CLOSE_WAIT
tcp 1 482 192.168.0.100:3555 svr58.ehostpros.com:http CLOSING
tcp 477 0 localhost.localdomain:http localhost.localdomain:2908 CLOSE_WAIT
tcp 0 474 192.168.0.100:3244 web5.mygisol.com:http FIN_WAIT1
tcp 477 0 localhost.localdomain:http localhost.localdomain:3148 CLOSE_WAIT
tcp 399 0 192.168.0.100:http fl-71-0-168-49.dhcp.s:16281 CLOSE_WAIT
tcp 483 0 192.168.0.100:http sv1.mhlists.net:19470 CLOSE_WAIT
tcp 0 13140 192.168.0.100:http 67.18.208.60.tailorma:46654 CLOSE_WAIT
tcp 483 0 192.168.0.100:http server5.westcoasthost:34389 CLOSE_WAIT
tcp 0 1 192.168.0.100:2563 gen033.n002.c03.escape:http SYN_SENT
tcp 483 0 192.168.0.100:http cpe-71-67-118-54.woh.:54019 CLOSE_WAIT
tcp 405 0 192.168.0.100:http fl-71-0-168-49.dhcp.s:15721 CLOSE_WAIT
tcp 477 0 localhost.localdomain:http localhost.localdomain:3004 CLOSE_WAIT
tcp 476 0 localhost.localdomain:http localhost.localdomain:2732 CLOSE_WAIT
tcp 401 0 192.168.0.100:http fl-71-0-168-49.dhcp.s:16280 CLOSE_WAIT
tcp 0 1 192.168.0.100:2961 gen033.n002.c03.escape:http SYN_SENT
tcp 1 477 192.168.0.100:3430 s8.eroute.net:http CLOSING
tcp 484 0 192.168.0.100:http 69.72.250.250:52422 CLOSE_WAIT
tcp 0 1 192.168.0.100:3030 gen033.n002.c03.escape:http SYN_SENT
tcp 481 0 localhost.localdomain:http localhost.localdomain:1069 CLOSE_WAIT
tcp 0 1 192.168.0.100:2831 gen033.n002.c03.escape:http SYN_SENT
tcp 484 0 192.168.0.100:http www-lax-004.blitzen.n:57516 CLOSE_WAIT
tcp 0 1 192.168.0.100:2894 gen033.n002.c03.escape:http SYN_SENT
tcp 0 1 192.168.0.100:2884 gen033.n002.c03.escape:http SYN_SENT
tcp 482 0 192.168.0.100:http radus.nl:40183 CLOSE_WAIT
tcp 481 0 localhost.localdomain:http localhost.localdomain:1374 CLOSE_WAIT
tcp 0 1 192.168.0.100:3885 64.233.167.99:http SYN_SENT
tcp 0 0 192.168.0.100:3879 64.233.167.99:http ESTABLISHED
tcp 0 0 192.168.0.100:3866 64.233.167.99:http ESTABLISHED
tcp 0 0 192.168.0.100:3860 64.233.167.99:http ESTABLISHED
tcp 391 0 192.168.0.100:http adsl-71-156-64-209.dsl:2128 CLOSE_WAIT
tcp 483 0 192.168.0.100:http bowell.genwebhost.com:52721 CLOSE_WAIT
tcp 0 0 localhost.localdomain:3802 localhost.localdomain:http FIN_WAIT2
tcp 0 471 192.168.0.100:3424 ns1.triinfinite.com:http FIN_WAIT1
tcp 483 0 192.168.0.100:http smaug.vex.net:4194 CLOSE_WAIT
tcp 0 469 192.168.0.100:3277 ns1.hosttec.net:http FIN_WAIT1
tcp 481 0 localhost.localdomain:http localhost.localdomain:1198 CLOSE_WAIT
tcp 481 0 localhost.localdomain:http localhost.localdomain:1454 CLOSE_WAIT
tcp 483 0 192.168.0.100:http newhorizonhosting.pro:38177 CLOSE_WAIT
tcp 483 0 192.168.0.100:http p15192576.pureserver.:59700 CLOSE_WAIT
tcp 405 0 192.168.0.100:http fl-71-0-168-49.dhcp.s:16282 CLOSE_WAIT
tcp 391 0 192.168.0.100:http adsl-71-156-64-209.dsl:2353 CLOSE_WAIT
tcp 0 474 192.168.0.100:3461 ev1s-67-15-103-201.ev1:http FIN_WAIT1
tcp 0 479 192.168.0.100:3896 rockwoodcondo.com:http ESTABLISHED
tcp 481 0 localhost.localdomain:http localhost.localdomain:2575 CLOSE_WAIT
tcp 855 0 192.168.0.100:http dialup-216-12-216-53.e:1042 CLOSE_WAIT
tcp 484 0 192.168.0.100:http abysshosting.net:39611 CLOSE_WAIT
tcp 1 486 192.168.0.100:3307 flagship.tchserver.net:http CLOSING
tcp 0 476 192.168.0.100:3803 ev1s-207-44-202-43.ev1:http FIN_WAIT1
tcp 1 474 192.168.0.100:3389 ev1s-67-15-103-201.ev1:http CLOSING
tcp 0 490 192.168.0.100:3604 snare.drumbeathosting.:http FIN_WAIT1
tcp 415 0 192.168.0.100:http adsl-71-156-64-209.dsl:2465 CLOSE_WAIT
tcp 477 0 localhost.localdomain:http localhost.localdomain:2959 CLOSE_WAIT
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:https *:* LISTEN
tcp 0 0 ::ffff:192.168.0.100:ssh cpe-24-174-43-74.hous:19564 ESTABLISHED
udp 0 0 *:ha-cluster *:*
udp 0 0 *:697 *:*
udp 0 0 *:bootpc *:*
udp 0 0 *:bootpc *:*
udp 0 0 192.168.0.100:3156 192.168.0.1:domain ESTABLISHED
udp 0 0 *:sunrpc *:*
udp 0 0 *:ipp *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 4102488 /tmp/.gdm_socket
unix 2 [ ACC ] STREAM LISTENING 4102608 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 5508 /dev/gpmctl
unix 2 [ ] DGRAM 4147529 @/var/run/hal/hotplug_socket
unix 2 [ ACC ] STREAM LISTENING 428469 /tmp/orbit-root/linc-4ed5-0-4197244d12abe
unix 2 [ ] DGRAM 4102371 @udevd
unix 2 [ ACC ] STREAM LISTENING 5634 /tmp/.font-unix/fs7100
unix 15 [ ] DGRAM 4783 /dev/log
unix 2 [ ACC ] STREAM LISTENING 5395 /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 5712 /var/run/dbus/system_bus_socket
unix 2 [ ] DGRAM 4296615
unix 3 [ ] STREAM CONNECTED 4293673 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 4293672
unix 3 [ ] STREAM CONNECTED 4289670
unix 3 [ ] STREAM CONNECTED 4289669
unix 3 [ ] STREAM CONNECTED 4147527 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 4147526
unix 2 [ ] DGRAM 4124781
unix 2 [ ] DGRAM 4124751
unix 3 [ ] STREAM CONNECTED 4103408 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4103407
unix 3 [ ] STREAM CONNECTED 4103222 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4103221
unix 3 [ ] STREAM CONNECTED 4103088 /tmp/.font-unix/fs7100
unix 3 [ ] STREAM CONNECTED 4103087
unix 3 [ ] STREAM CONNECTED 4103099 /tmp/.X11-unix/X0
gloomy
04-06-2006, 05:44 PM
Looks a bit terrifying to my eyes.

Try "man iptables" for starters.
bwkaz
04-06-2006, 07:34 PM
This:

tcp 483 0 192.168.0.100:http atlas.f2k-server.org:59206 CLOSE_WAIT , for instance, is nothing more than someone that was connected to your web server. Note how the state is "CLOSE_WAIT"; this is the state that sockets go into after they're closed, so that the same ip/port combinations don't get reused too soon. CLOSE_WAIT, FIN_WAIT*, and TIME_WAIT are all indicative of connections that have recently either closed or timed out; they're not using any more resources, I don't think. They certainly can't hurt anything.

The ESTABLISHED sockets are probably the only ones you need to look at anyway. And almost all of those are either connected to your tcp/80 or someone else's tcp/80 (so it's either someone hitting your web server or you hitting someone else's). None of those are a problem.
gloomy
04-07-2006, 02:52 AM
Sure,

but how about e.g. the one below?

tcp 0 0 ::ffff:192.168.0.100:ssh cpe-24-174-43-74.hous:19564 ESTABLISHED
je_fro
04-07-2006, 04:11 AM
well since 192.168.x.x isn't routable over the internet, I wouldn't worry about it. It looks to be a local ssh connection.
gloomy
04-07-2006, 05:00 AM
Yes, but, generally, running SSH on a webserver does not sound good, if not otherwise especially needed. Or?
Bowtie
04-07-2006, 08:00 AM
Sorry guys. Forgot to mention it but the ssh is actually me. I've got the web server at a friends house since my internet connection was kind of finicky for a while. So how do I block the excess stuff such as:

tcp 483 0 192.168.0.100:http atlas.f2k-server.org:59206 CLOSE_WAIT ????????? :confused:

Iptables and hosts.deny??
bwkaz
04-07-2006, 10:14 AM
So how do I block the excess stuff such as:

tcp 483 0 192.168.0.100:http atlas.f2k-server.org:59206 CLOSE_WAIT That connection is closed, as I said before! You don't do anything to block it; it's already over and done with.

It was someone (at IP address 217.20.116.93, not that that matters) talking to the web server on that box (i.e. that person had a web browser open and was looking at some page on your friend's web site). Why would you want to disable that?
Bowtie
04-07-2006, 10:52 AM
I'm not trying to disable that. I'm just trying to deny the bots and unknowns. Most of those resolved names I am not familiar with in regards to where my friends are browsing from.
je_fro
04-07-2006, 11:44 AM
If you want a webserver you're going to have to expect people will access it. Unless you specifically enable certain ip addresses while denying all others, there's nothing you can do. I use ipt_string on the annoying bots though.....
Bowtie
04-09-2006, 08:55 AM
I use ipt_string on the annoying bots though.....

I'll do some research and reading on that and try it out. Thanks bro. :cool: