[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] just a question . . .
- Subject: Re: [cobalt-security] just a question . . .
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Mon, 11 Feb 2002 20:28:31 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Fragga,
> i normally cron a job to run each hour which mails me a few logs and the
> output of an netstat -at | grep www . sometimes however i seem to get web
> conections
I use a slightly different approach:
netstat -a -n |grep tcp|grep ":80"|wc -l
Omit the "|wc -l" to get the connections listed in detail
> where apache has opened multiple ports for. I know that it juggles it onto
> a different port when it receives a connection but i get multiples similar
> to the output of
For (almost) every client request Apache spawns a separate httpd child up to
the maximum number of childs configured in the Apache configuration file.
In the report you provided you see many "TIME_WAIT" from the same
originating ip-address (194.200.***.***) but with different port numbers.
To me that looks like it's short of a denial of service attack. However,
there can be legitimate reasons for one source IP-address opening up so many
simulteanous connections. Like when a search engine is spidering your
site(s). Or when someone uses a download manager like wget to fetch your
entire website. Or when someons uses Acrobat to turn your entire website into
an PDF ... you get the drift. :o)
But if so, then not all of the connections should be "TIME_WAIT" unless the
"rush" is over and all connections are now timing out.
To be sure I'd grep /var/log/httpd/access for the offending ip-address to see
if it is requesting separate URLs and pages, or if all of the requests go to
the same URL. If it's the later, then its most likely not legitimate or even
"good" traffic and I'd blacklist the offending IP.
What else you could do is to run "tcpdump" (a very basic network sniffer) for
a while (write the output to a file) and then go through it to analyse the
data sent back and forth to the offending ip-address.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer