Netstat, Csf

Jun 11, 2007

I am not shure if this is a configuration problem or it's bacause netstat has it's own way to display things.

Recently csf blocked an IP address for flooding.

My server ip address is something like 192.168.1.201.

The ip that csf blocked was 192.168.1.20.

That IP belongs to an other server that is not ours.

netstat was showing a lot of connections from 192.168.1.20 (the ip that is not ours) but the guys that manage the server with that ip (192.168.1.20) did not saw any connection from them to us. So I thought it's just a spoofed flood. But, the thing is I've blocked that ip and still connections were made.

My conclusion was that netstat was showing 192.168.1.20 "flooding" instead of 192.168.1.201. (the server was connectiong to itself).

iptraf also was showing the server was connecting to itself on the lo interface.

My questions are:
csf is based on netstat for tracking connections?
has anyone had ths type of problem before?
If netstat is showing something else isn't this a bad thing for all (a lot) the scripts that use netstat?

View 0 Replies


ADVERTISEMENT

Netstat -an Or -tln

Aug 9, 2008

netstat -tln shows my port 80 is listening.

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN

but netstat -an shows nothing about port 80

actually my web can not be accessed. it shows "Cannot find server or DNS Error " under Internet Explorer.

View 4 Replies View Related

Netstat & APF Cron Job

Oct 28, 2008

Netstat & APF cron job ...

View 7 Replies View Related

Netstat :: How To List IP Addresses?

May 19, 2009

My site is under attack, when i run this command
[php]netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -[/php
it show

1 116.xxx

1 118.xxx

1 203.xx

1 222.xxx

1 Address

1 servers)

3 115.xxx

3 123.xxx

4 58.xxx

10 127.0.0.1

694

What 694 connections mean ? Why netstat don't list their IP ? How can i know which IP is attacking my site ?

View 5 Replies View Related

SSH Command :: Netstat -alpn?

Dec 25, 2008

what does the below command actually means I mean when we use it? and in which case it help us? and up to what value there is nothing to worry about? Waiting for detailed reply

netstat -alpn | grep :80 | awk '{print $4}' | cut -d: -f1 |sort |uniq -c

View 10 Replies View Related

-bash: Netstat: Command Not Found

Apr 2, 2008

i got a new sever and was looking at few thing.

just ran netstat and saw this -bash: netstat: command not found

how can i correct it?

View 7 Replies View Related

Netstat Results Show 3 Ips In Same Location With Several Connections

Mar 13, 2008

I'm new to server administration/security/troubleshooting, so I have included a lot of info here hoping it will help.

This started because a Linux VPS with CentOS and Exim crashed after only 3000 emails were sent (of 30000) total

I ran a netstat and several times I get three separate ips with the only difference being the last two digits and the port number:
86.104.230.29:59009
86.104.117.45:18065
89.37.137.157:41593

As far as I can tell they are from Romania, and there are several connections.

I have posted a lot of information below, if someone can take a look and give some ideas, it would be very much appreciated.

netstat:

Code:
tcp 0 0 mydomain.com:http 86.104.117.98:34060 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.82:59022 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.219:52276 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.163:25383 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.154:20794 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.235:39094 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.127:61711 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.127:5748 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.37:63424 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.228:54121 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.226:39605 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.91:6446 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.10:54841 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.100:22842 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.118:32674 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.80:16559 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.64:47817 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.136:21718 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.246:37288 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.28:62119 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.190:4468 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.8:25247 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.100:35503 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.199:20896 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.237:saft SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.199:47952 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.118:60561 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.181:10844 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.125:50584 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.253:17855 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.10:25740 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.109:29528 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.62:47349 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.55:4614 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.226:22001 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.163:11790 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.44:8911 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.46:telnets SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.190:27377 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.181:34031 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.19:41722 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.100:57151 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.145:61402 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.53:52461 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.26:42463 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.217:35530 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.35:63414 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.154:56638 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.26:43972 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.172:6922 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.17:3683 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.210:2397 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.46:18754 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.244:4032 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.235:8602 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.82:39495 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.19:28848 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.163:47624 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.8:2683 SYN_RECV
tcp 0 0 mydomain.com:http 89.39.71.55:43300 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.37:1664 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.118:36892 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.17:7317 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.109:56229 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.217:45257 SYN_RECV
tcp 0 0 mydomain.com:http 89.37.137.73:15278 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.230.64:14076 SYN_RECV
tcp 0 0 mydomain.com:http 86.104.117.116:14567 SYN_RECV

View 3 Replies View Related

Listing/banning Ipv6 Addresses From Netstat Output

Jan 19, 2008

I've been happily banning ip's using the output from

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

for over a year now, with iptables. However recently, after upgrading to apache 2.2, the connections in netstat get listed as ipv6. A row can look like this for example:

tcp6 0 0 ::ffff:12.123.123.123:80 ::ffff:12.123.12.:12382 ESTABLISHED-

(actual ip addresses changed)

As you can see, the remote ip address isn't complete, it's cut off, so the script used to sum up connections and insert into iptables isnt doing anything.

View 0 Replies View Related

Netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Feb 1, 2007

What does this string do? I copy and paste it into my SSH Shell and i get ip addresses and numbers next to them.

Each number means one connection?

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

View 1 Replies View Related

Meaning Of "netstat"

Dec 17, 2007

Maybe someone would be kind enough to enlighten me of the meaning of a netstat output. I know netstat is supposed to tell you the current active connections but would like some more details(what does each column mean?):

Code:
[root@]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address Stat
I notice that often times I see my ISP's mail server connecting to domains I didin't even set up yet. Sometimes I see google(I guess indexing my sites). But in addition some times I see some scary foreign addresses like from nigeria or one really common one, one which I see pretty often when I run netstat is:

Quote:

tcp 0 0 mydomain.com:http [somehostname].amenworld.com:40867 TIME_WAIT

I can't seem to make any sense of it, what are they doing and why are they always "connected' to my server?

I could just be over reacting on some of this stuff but just curious about what this all means.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved