Re: [cobalt-security] just a question . . .

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Fragga,

> i normally cron a job to run each hour which mails me a few logs and the
> output of an netstat -at | grep www . sometimes however i seem to get web
> conections

I use a slightly different approach:

netstat -a -n |grep tcp|grep ":80"|wc -l

Omit the "|wc -l" to get the connections listed in detail

> where apache has opened multiple ports for. I know that it juggles it onto
> a different port when it receives a connection but i get multiples similar 
> to the output of

For (almost) every client request Apache spawns a separate httpd child up to 
the maximum number of childs configured in the Apache configuration file.

In the report you provided you see many "TIME_WAIT" from the same 
originating ip-address (194.200.***.***) but with different port numbers.

To me that looks like it's short of a denial of service attack. However, 
there can be legitimate reasons for one source IP-address opening up so many 
simulteanous connections. Like when a search engine is spidering your 
site(s). Or when someone uses a download manager like wget to fetch your 
entire website. Or when someons uses Acrobat to turn your entire website into 
an PDF ... you get the drift. :o)

But if so, then not all of the connections should be "TIME_WAIT" unless the 
"rush" is over and all connections are now timing out. 

To be sure I'd grep /var/log/httpd/access for the offending ip-address to see 
if it is requesting separate URLs and pages, or if all of the requests go to 
the same URL. If it's the later, then its most likely not legitimate or even 
"good" traffic and I'd blacklist the offending IP.

What else you could do is to run "tcpdump" (a very basic network sniffer) for 
a while (write the output to a file) and then go through it to analyse the 
data sent back and forth to the offending ip-address.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer