The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

netstat question, why is there no IP (blank line) in most hits?

Discussion in 'Security' started by jols, Mar 8, 2010.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Commonly when I enter this:

    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    I get a line with the most connects made, but with no IP, like this:

    ---------------------
    2 148.240.236.219
    2 166.128.79.2
    2 206.188.135.116
    2 58.8.87.223
    2 64.92.45.125
    2 70.112.225.111
    2 71.238.45.191
    2 71.65.203.244
    2 74.186.222.228
    2 75.105.0.38
    2 88.131.106.31
    2 99.14.205.173
    3 69.107.105.99
    3 76.173.219.81
    3 96.48.232.14
    4 193.47.80.49
    4 203.45.130.8
    4 206.188.138.182
    4 69.183.221.125
    4 72.224.97.139
    4 75.104.128.36
    4 75.104.128.54
    4 99.196.32.58
    5 75.105.0.52
    6 173.55.127.124
    6 63.226.253.233
    7 121.215.41.197
    8 127.0.0.1
    11 67.213.196.54
    11 67.60.32.242
    11 72.24.112.102
    14 96.235.209.214
    16 64.40.121.180
    16 99.197.64.56
    20 66.131.2.209
    111
    ---------------------

    I am referring to the entry with "111" connections above.

    Anyone know why this is, and what we could do to find out who is making the most connects?

    Thanks for any assistance.
     
  2. garrettp

    garrettp Well-Known Member
    PartnerNOC

    Joined:
    Jun 18, 2004
    Messages:
    312
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Your one-liner may be flawed. I tested it on my system and since awk is simply printing the 5th token on each line, you don't always get just an IP. What does a regular netstat -ntu output show? uniq -c is counting the unique entities so it sounds to me like it's finding 111 blanks for the 5th token that awk is returning.
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks for your reply about this, it is very much appreciated. Too bad I just don't have any idea what you are referring to. Not sure at all what you mean by "Your one-liner may be flawed.".

    Perhaps you are referring to this? --> netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    I've just looked at a very similar situation, and I looked at netstat -ntu, but I really don't see any comparison between the two.

    When you say, "5th token that awk is returning", are you referring to this part of the statement? ---> "sort -n"
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Actually, I'd probably use something more like this:
    Code:
    # netstat -ntu | awk '{print $5}' | cut -d':' -f1 | grep "^[0-9]" | sort -g | uniq -c
    
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks again Spiral. Only problem is, I don't get a sorted list with that one. At least, not sorted by the number of connections.
     
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I left the final "| sort -n" off the end of the line in the last post ....

    Just simply put that on the end and you got it.
     
  7. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks much!
     
  8. voshka

    voshka Active Member

    Joined:
    Apr 4, 2010
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    I have the same problem
    it wasn't such this
    it has started from today
    the dos_deflate has recognized this conection as a dos atack and email me thousents of times

    Banned the following ip addresses on Sun Apr 4 12:13:01 EDT 2010

    409 with 409 connections
     
Loading...

Share This Page