Listing/banning Ipv6 Addresses From Netstat Output

Jan 19, 2008

I've been happily banning ip's using the output from

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

for over a year now, with iptables. However recently, after upgrading to apache 2.2, the connections in netstat get listed as ipv6. A row can look like this for example:

tcp6 0 0 ::ffff:12.123.123.123:80 ::ffff:12.123.12.:12382 ESTABLISHED-

(actual ip addresses changed)

As you can see, the remote ip address isn't complete, it's cut off, so the script used to sum up connections and insert into iptables isnt doing anything.

View 0 Replies


ADVERTISEMENT

Netstat :: How To List IP Addresses?

May 19, 2009

My site is under attack, when i run this command
[php]netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -[/php
it show

1 116.xxx

1 118.xxx

1 203.xx

1 222.xxx

1 Address

1 servers)

3 115.xxx

3 123.xxx

4 58.xxx

10 127.0.0.1

694

What 694 connections mean ? Why netstat don't list their IP ? How can i know which IP is attacking my site ?

View 5 Replies View Related

Iptables And Banning Ip Addresses

Jan 19, 2007

ý'd want to ban some ip addresses and i tried use iptables. But it doesnt work so far.

what i did is:
root/sbin/ iptables -A INPUT -p tcp -s 193.93.236.0/22 -d any/0 -m state --state NEW -j DROP

as seen, i tried to ban an ip range from my box (coz of spam). But it looks that doesnt work.

What i want to do is to prevent wp spammers to post their disgraceful links to my database.

i am using centos.

View 13 Replies View Related

Netstat -an Or -tln

Aug 9, 2008

netstat -tln shows my port 80 is listening.

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN

but netstat -an shows nothing about port 80

actually my web can not be accessed. it shows "Cannot find server or DNS Error " under Internet Explorer.

View 4 Replies View Related

Netstat, Csf

Jun 11, 2007

I am not shure if this is a configuration problem or it's bacause netstat has it's own way to display things.

Recently csf blocked an IP address for flooding.

My server ip address is something like 192.168.1.201.

The ip that csf blocked was 192.168.1.20.

That IP belongs to an other server that is not ours.

netstat was showing a lot of connections from 192.168.1.20 (the ip that is not ours) but the guys that manage the server with that ip (192.168.1.20) did not saw any connection from them to us. So I thought it's just a spoofed flood. But, the thing is I've blocked that ip and still connections were made.

My conclusion was that netstat was showing 192.168.1.20 "flooding" instead of 192.168.1.201. (the server was connectiong to itself).

iptraf also was showing the server was connecting to itself on the lo interface.

My questions are:
csf is based on netstat for tracking connections?
has anyone had ths type of problem before?
If netstat is showing something else isn't this a bad thing for all (a lot) the scripts that use netstat?

View 0 Replies View Related

Netstat & APF Cron Job

Oct 28, 2008

Netstat & APF cron job ...

View 7 Replies View Related

Banning SSH Abusers

Nov 15, 2007

About a week ago I got logs from the server that looked like this:

unknown (200.87.116.210): 5112 Time(s)
unknown (65.111.177.212): 5005 Time(s)
unknown (bastion.fmg-kopernik.ru): 662 Time(s)
root (bastion.fmg-kopernik.ru): 657 Time(s)

I then turned on the brute force protection cPanel provides, and it went down considerably from there. I'm not concerned at all about it (since the passwords are strong), but I would like to know the best way to determine abusive users (of SSH), and the best way to ban them.

Assuming the server does not have APF installed, or any particular control panel...

View 14 Replies View Related

Server Banning Itself

Dec 20, 2007

Getting these emails, several a day telling me that the server is banning its own allocated IP addresses. Can someone explain what on earth it could possibly be doing to ban its own IP's?

From - Thu Dec 20 16:50:47 2007
X-Account-Key: account3
X-UIDL: GmailId116f88c2a1c060ca
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Delivered-To: myemail@gmail.com
Received: by 10.90.78.14 with SMTP id a14cs288558agb;
Thu, 20 Dec 2007 09:14:04 -0800 (PST)
Received: by 10.142.177.7 with SMTP id z7mr183490wfe.47.1198170843836;
Thu, 20 Dec 2007 09:14:03 -0800 (PST)
Return-Path: <root@host.domain.com.br>
Received: from server.domain.com.br (domain.com.br [xxx.xxx64.138])
by mx.google.com with ESMTP id m8si38592roe.1.2007.12.20.09.14.03;
Thu, 20 Dec 2007 09:14:03 -0800 (PST)
Received-SPF: pass (google.com: domain of root@server.domain.com.br designates xxx.xxx.64.138 as permitted sender) client-ip=xxx.xxx.64.138;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of root@server.domain.com.br designates xxx.xxx.64.138 as permitted sender) smtp.mail=root@server.domain.com.br
Received: from root by server.domain.com.br with local (Exim 4.68)
(envelope-from <root@server.domain.com.br>)
id 1J5OyA-0004us-63
for root@server.domain.com.br; Thu, 20 Dec 2007 15:13:39 -0200
To: root@server.domain.com.br
Subject: IP addresses banned on Thu Dec 20 15:13:39 BRST 2007
Message-Id: <E1J5OyA-0004us-63@server.domain.com.br>
From: root <root@server.domain.com.br>
Date: Thu, 20 Dec 2007 15:13:39 -0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.domain.com.br
X-AntiAbuse: Original Domain - server.domain.com.br
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - server.domain.com.br

Banned the following ip addresses on Thu Dec 20 15:13:38 BRST 2007

xxx.xxx64.138 with 151 connections

I have centos 4 / cpanel installed with apf / bfd yet the deny host rules for apf does not show the server IP's listed as banned.

View 2 Replies View Related

Apf Firewall Banning Range

Mar 8, 2007

I need to ban IP range and I inserted say ip 12.44.0.0 in the deny_hosts rules, this should ban range from 12.44 but strange is people from that range still be able to access my site, any idea what went wrong?

View 3 Replies View Related

Banning Yahoo Slurp IPs

Jul 6, 2008

How can i ban Yahoo! Slurp and its IPs using .htacces?

View 3 Replies View Related

SSH Command :: Netstat -alpn?

Dec 25, 2008

what does the below command actually means I mean when we use it? and in which case it help us? and up to what value there is nothing to worry about? Waiting for detailed reply

netstat -alpn | grep :80 | awk '{print $4}' | cut -d: -f1 |sort |uniq -c

View 10 Replies View Related

Bash Script - IP Banning With Iptables

Apr 28, 2009

my VPS provided didn't enable a lot of modules and that's why I can use a firewall(csf or apf) and dos deflate script

I need a simple script for it.

First,it has to call this:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
then there will be something like:
Number : IP address
20 1.2.3.4
40 1.2.3.5
80 1.2.3.6
and then the bash script has to bann IPs with more than 30 connections(In our case: 1.2.3.5 and 1.2.3.6) with this:
iptables -A INPUT -s IP_FOR_BLOCK -j DROP

View 14 Replies View Related

Banning A Whole Country IP Range From My Website

Oct 28, 2008

I want to stop users from country X from accessing my website, I know I can ban people's IPs but I dont know if it is possible to ban certain geographical area and if so, I haven't got a clue about how to do it.

View 8 Replies View Related

-bash: Netstat: Command Not Found

Apr 2, 2008

i got a new sever and was looking at few thing.

just ran netstat and saw this -bash: netstat: command not found

how can i correct it?

View 7 Replies View Related

Range Banning With IPSec On Windows Server

Oct 9, 2006

Does anyone know how to range ban IPs using IPsec.

I can enter IPs manually but unable to ban an entire RANGE of ips

i.e. For example 172.10.10.10 - 172.1.1.999

Anyone know?

View 4 Replies View Related

Netstat Results Show 3 Ips In Same Location With Several Connections

Mar 13, 2008

I'm new to server administration/security/troubleshooting, so I have included a lot of info here hoping it will help.

This started because a Linux VPS with CentOS and Exim crashed after only 3000 emails were sent (of 30000) total

I ran a netstat and several times I get three separate ips with the only difference being the last two digits and the port number:
86.104.230.29:59009
86.104.117.45:18065
89.37.137.157:41593

As far as I can tell they are from Romania, and there are several connections.

I have posted a lot of information below, if someone can take a look and give some ideas, it would be very much appreciated.

netstat:

Code:
tcp 0 0 mydomain.com:http 86.104.117.98:34060 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.82:59022 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.219:52276 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.163:25383 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.154:20794 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.235:39094 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.127:61711 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.127:5748 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.37:63424 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.228:54121 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.226:39605 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.91:6446 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.10:54841 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.100:22842 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.118:32674 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.80:16559 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.64:47817 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.136:21718 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.246:37288 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.28:62119 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.190:4468 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.8:25247 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.100:35503 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.199:20896 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.237:saft SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.199:47952 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.118:60561 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.181:10844 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.125:50584 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.253:17855 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.10:25740 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.109:29528 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.62:47349 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.55:4614 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.226:22001 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.163:11790 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.44:8911 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.46:telnets SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.190:27377 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.181:34031 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.19:41722 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.100:57151 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.145:61402 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.53:52461 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.26:42463 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.217:35530 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.35:63414 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.154:56638 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.26:43972 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.172:6922 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.17:3683 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.210:2397 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.46:18754 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.244:4032 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.235:8602 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.82:39495 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.19:28848 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.163:47624 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.8:2683 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.55:43300 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.37:1664 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.118:36892 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.17:7317 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.109:56229 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.217:45257 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.73:15278 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.64:14076 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.116:14567 SYN_RECV

View 3 Replies View Related

VBulleting Is Triggering Mod_security Rule And Banning People

Jun 23, 2008

I installed mod_security and the 403security rules on my VPS (Centos 4.1, Release version of WHM).

Several vBulletin files, including the ajax quick editor and some vbulletin.org add-ons are triggering this rule and banning members' IPs in CSF:

# Restrict witch content encodings we accept.
#
# TODO Most applications support only two encodings for request bodies
# because that is all browsers know how to produce. If you are using
# automated tools to talk to the application you may be using other
# content types and would want to change the list of supported encodings.
#
# Note though that ModSecurity parses only three content encodings:
# application/x-www-form-urlencoded, multipart/form-data request and
# text/xml. The protection provided for any other type of encoding is
# inferior.
#
# TODO There are many applications that are not using multipart/form-data
# encoding (typically only used for file uploads). This content type
# can be disabled if not used.
#
# NOTE We allow any content type to be specified with GET or HEAD
# because some tools incorrectly supply content type information
# even when the body is not present. There is a rule further in
# the file to prevent GET and HEAD requests to have bodies to we're
# safe in that respect.
#
# NOTE Use of WebDAV requires "text/xml" content type.
#
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
# applications running on the PocketPC and AvantGo platforms use
# non-standard content types:
#
# M-Business iAnywhere application/x-mal-client-data
# UltraLite iAnywhere application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$"
"chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content encoding is not allowed by policy',id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)"
I don't know how to decipher this rule to know if just removing it is ok, or if it is serving an important purpose. During a couple hour period it was enabled, that rule only seemed to trigger false alarms.

The above was triggered with calls such as [uri "/forums/ajax.php?do=usersearch"] and [uri "/forums/newreply.php?do=postreply&t=11057"]

What I really don't understand is that I have an .htaccess in place to turn off mod_security for the /forums directory:

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
I have also had this rule triggered today when someone tried to access : ...

View 0 Replies View Related

Top Output To A File

Apr 27, 2008

Quote:

# If a PT_LOAD event is triggered, then if the following contains the path to
# a script, it will be run in a child process. For example, the script could
# contain commands to terminate and restart httpd, php, exim, etc incase of
# looping processes. The action script must have the execute bit an
# interpreter (shebang) set

It's a feature of CSF, how to write a script that will output the contents of top -c to another file?

View 3 Replies View Related

Header Output Already Sent

Nov 17, 2008

Would any remote configs responsible for the warning "header output already sent"?

Why i ask this? Because I am programming with php, having this chronicle error, tried fixing every corners but helpless.

View 4 Replies View Related

Tcpdump Output

Feb 10, 2007

This is the command i'm running and its options:

tcpdump > output.file

Problem is that the only way to stop this command is pressing CTRL + C, and i just need some option to specify how much time the tcpdump will be running, i need it running for 1 minute for example, and then it should automatically stop.

View 1 Replies View Related

Full Dns Output

Sep 12, 2007

how do i get all the current dns values for a domain name? i have tried using
'dig domain any' and get varied results. the first time it is as if i ran 'dig domain a' I then run 'dig domain mx' and see the mx records. an issue of 'any' then shows the mx records so far i have to run dig with every record type. what is another way to get all the dns values for a domain name?

View 1 Replies View Related

Listing In Spamcannibal

Apr 13, 2008

My server listed in spamcannibal but I dont know why

My IPs range are xx.xx.xx.166- 169 and the spam comes from xx.xx.xx.220 which doesnt belongs to me.

View 2 Replies View Related

Max Files Listing Under Ftp

Jul 24, 2007

through ftp can see max 2000 files for single dir.

How can we setting this value?

View 2 Replies View Related

VPS Not Listing In Panel

May 28, 2007

I am having a very weird problem with virtuozzo. I created about 8 VPS in my server. But when i logged into the server after two days, I could find that some of the VPS i had created disappeared. And the ones that still listed, were in the mounted state.

I have no idea of what is happening with the server. To list all the VPS back i had to log into the base node and restart service vz.

I don log into the virtuozzo very often, but whenever i log into the panel after some time ( a day or two) this is what happens.

I need to move clients over to the new VPS, but the issue is causing a lot of worry for me. What if this happens once i move the client over. I cannot always go restarting th vz.

Please solve these issues

1) VPS changing to the mounted state

2) VPS disappearing from the virtuozzo panel.

View 10 Replies View Related

Top Output Belongs To My VPS Only Or Whole Server?

Sep 26, 2008

I have question regarding the output of top command when it is run inside a VPS.

Does the CPU load (under lined in red) only belongs to my VPS or the whole server?

If it belongs to the whole server, then is the load underlined in green, the load my VPS currently has?

[url]

its a Virtuozzo based VPS

View 3 Replies View Related

Linux Get Last Line Of Output

Apr 4, 2008

What command could I use to get the last line of an output?

Heres why...

I use this command:

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
I would like to get just the last line of the output, the output looks like this:

1 203.118.105.*
1 80.195.165.*
1 87.211.51.*
1 91.40.90.*
8 82.2.222.*
213

The reason is because I'd like to get that last figure to place into a file on a certain time period (through a cron), which will then be graphed with PHP.

View 3 Replies View Related

Understanding Munin Output

Apr 18, 2008

I use Munin to monitor the health of our servers, I can tell by looking at the graphs there's nothing to worry about, however, I'm struggling to baseline acceptable performance.what would be classed as 'normal' output for some of the more relevant munin graphs.

I've been looking at the Apache* modules and this is the output from one of our servers:

average of: 300 accesses per minute, 6 busy servers and 4.10MB a minute volume

max of: 1400 accesses per minute, 81 busy servers and 51MB a minute volume

This is a dedicated box running one site.

We have another box that is running approximately 30 sites

average of: 30 accesses per minute, 1 busy server and a 500K a minute volume

max of: 322 accesses per minute, 11 busy servers and a 4MB a minute volume.

These servers are pretty much the same spec, dual core 64Bit, 4GB of ram, two SATA disks in RAID1.

View 2 Replies View Related

Virtuozzo - Ipv6

Aug 6, 2008

I've read that Virtuozzo 4.0 supported ipv6. I'm having problems finding anything to help setup the node for ipv6. I can't anything on the web except for some people talking about how to disable ipv6. So I was just wondering if anyone else has seen anything.

Edit: I don't think I posted in the correct section. Opps. Could a moderator move this to the right section?

View 2 Replies View Related

IPv6 Implementation

Jul 28, 2009

we would like to extend our services with providing IPv6 for dedicated servers.

Our colo will provide us /48.

Am pretty new to IPv6. Can anobydy give some hints about IPv6 addressing for such scenario.

How should we cut that /48? How much IPs shoud I provide to every server?

Any real hosting world scenarios?

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved