The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is my server getting attacked or is this normal behaviour?

Discussion in 'Security' started by Smaily, Sep 19, 2011.

  1. Smaily

    Smaily Well-Known Member

    Joined:
    Sep 19, 2011
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    # netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

    1 Address (whats this?)
    1 and (whats this?)
    18 80.10.100.45 (one of my own server ip)
    18 80.10.100.46 (one of my own server ip)
    18 80.10.100.47 (one of my own server ip)
    59 80.10.100.10 (one of my own server ip)
    59 80.10.100.7 (one of my own server ip)
    70 127.0.0.1 (70 connections is normal?)
    76 80.10.100.2 (one of my own server ip and also ns1)
    76 80.10.100.5 (one of my own server ip)
    77 80.10.100.4 (one of my own server ip)
    346 0.0.0.0 (346 connections is normal?)
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You've improperly set the command and are getting bad data in the return. The same happens on my system when I run that command:

    Code:
    # netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
          1 Address
          1 and
          4 127.0.0.1
         29 0.0.0.0
    But if I run a good command, I get good data:

    Code:
    # netstat -atun|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n
          1 0.0.0.0
    This is checking for traffic on port 80 rather than the full return of netstat including the topmost lines as your command is doing. If you want all tcp traffic, you can try:

    Code:
    netstat -atun|grep tcp|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n
    Replace tcp with udp for all udp traffic. Try just running "netstat -atun" without any modifiers to see what it is pulling the data from in order to understand the output.
     
  3. Smaily

    Smaily Well-Known Member

    Joined:
    Sep 19, 2011
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thanks!

    As I had CSF firewall I updated it and started using portflood protection as follows.
    PORTFLOOD = "80;tcp;20;3,53;tcp;20;3"

    Came to this solution since I seemed to get alot of connections to port 53 even tho apache wasnt running on thouse IP addresses. Used command netstat -ntulp to figure it out.

    If this didnt helped, Ill get back asking. :)

    But are connections like this normal?

    on port 80:
    39 127.0.0.1
    166 0.0.0.0
     
    #3 Smaily, Sep 19, 2011
    Last edited: Sep 19, 2011
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Did you run "netstat -atun" to check what those connections happen to be? I cannot answer the question on whether those are normal because there aren't enough details on what the connections happen to be. 127.0.0.1 is localhost, so any locally served connections would be using that IP.

    As such, please run the command I'd indicated to see what the connections are to see if those are normal connections.
     
  5. Smaily

    Smaily Well-Known Member

    Joined:
    Sep 19, 2011
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    They seem to be counter-strike game connections to port 27015 if Im not mistaking?
    anyhow what bothers me is that there is nothing else running on 80.10.101.150 then ns2.
    yet there is connection from china.
     
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I guess if it works all well and good, but port 53 is DNS - although connections should probably be UDP rather than TCP.
     
Loading...

Share This Page