Find the answer to your Linux question:
Results 1 to 10 of 10
Oddly, my server that usually does not get any traffic seems to be sending and recieveing like crazy! Does anyone have any sggestions on what I can do to figue ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2004
    Posts
    48

    Server transmitting?


    Oddly, my server that usually does not get any traffic seems to be sending and recieveing like crazy! Does anyone have any sggestions on what I can do to figue out what it going on?

    I have closed port forwarding to the outside world, but the server is still transmitting.

    I am runing Debian, and I have SSH access to the server.

    Thank you!

  2. #2
    Linux Enthusiast
    Join Date
    Dec 2004
    Posts
    637
    What is it transmitting? What services are running or installed on the server, what does /var/log/messages reveal, have you did a security audit? Type last | head as root to see the last logon. We need a little more information.

  3. #3
    Just Joined!
    Join Date
    Nov 2004
    Posts
    48
    I am not sure what it is transmitting. I have never done this before, so if you could point me in the right direction of how to find out I would appreciate it.

    Services that are running: Apache2, SSH, MYSQL, Samba, that's about it (PHP too if that matters).

    In /var/log/messages nothing looks out of th ordinary to me, but I do have many lines that look like this (with different time stamps):

    Sep 26 08:22:01 localhost -- MARK --

    Logins look normal (all by me from clients I would expect).

    I did notice that I just installed logwatch, and it has an odd entry in the cron jobs. It reads:

    Commands Run:
    User root:
    run-parts --report /etc/cron.hourly: 24 Time(s)
    [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -r -0 rm: 48 Time(s)
    test -x /usr/sbin/anacron || run-parts --report /etc/cron.daily: 1 Time(s)

    I will look into doing a security autit.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Enthusiast
    Join Date
    Dec 2004
    Posts
    637
    The ---Mark entries are normal. As for the Cron entries, appears to be a PHP script peforming maintenance and or logging.

    It is common to see servers chatter, especially on networks with Windows machines. RPC, SMB/CIFS are known to chatter a lot as well as DNS and DHCP. I wouldn't worry about the chatter unless you see signs of intrusion. What made you notice the chatter in the first place? Use Ethereal to really see all the chatter. All networks are noisy if you really get down to the "nitty/gritty."

  6. #5
    Just Joined!
    Join Date
    Nov 2004
    Posts
    48
    Thank you for the help! The reason why I ask is because this has never happened to any of my other servers.

    I looked at my firewall log, and I notice that I have MANY (100+) entries of this:

    INTERNAL Protocol EXTERNAL NAT Priority State DIR Timeout
    192.168.0.113:52808 UDP 68.87.64.146:53 52808 130 - Out 300
    192.168.0.113:52807 UDP 68.87.75.194:53 52807 130 - Out 300

    It seems that there is something comming from my ISP's DNS servers? Is this normal to have all of these active sessions?

    EDIT: I stand corrected. It seems that my server is sending something out to these DNS servers. Any ideas?

  7. #6
    Linux Enthusiast
    Join Date
    Dec 2004
    Posts
    637
    As root, type netstat -vatn and post the results and redact any identifying information.

    In addition, I did an nslookup on the first IP and yes, that is a comcast server using the common DNS port 53. Have you been using any type of IM software and/or FTP software on this machine? These ports are common client ports for Red Hat and Fedora and as I have previously mentioned, are common RPC ports.

  8. #7
    Just Joined!
    Join Date
    Nov 2004
    Posts
    48
    I have not run any IM software on the server. I am trying to keep it as a server only, so I don't even have X11 installed (Which is standard on Debian).

    Here are the results of netstat:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:793 0.0.0.0:* LISTEN
    tcp 0 0 192.168.0.113:25 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
    tcp 0 14 192.168.0.113:25 211.208.174.16:1077 ESTABLISHED
    tcp 0 0 192.168.0.113:25 200.168.6.43:3295 ESTABLISHED
    tcp 0 0 192.168.0.113:25 80.245.113.151:3443 ESTABLISHED
    tcp 0 14 192.168.0.113:25 201.21.151.183:4699 ESTABLISHED
    tcp 0 0 192.168.0.113:25 201.220.68.27:4240 ESTABLISHED
    tcp 1 0 192.168.0.113:25 200.28.244.146:4754 CLOSE_WAIT
    tcp 0 0 192.168.0.113:25 82.104.3.42:1549 ESTABLISHED
    tcp 0 0 192.168.0.113:25 200.89.123.64:1902 ESTABLISHED
    tcp 0 0 192.168.0.113:25 219.153.4.98:3775 ESTABLISHED
    tcp 0 14 192.168.0.113:25 211.234.93.146:1816 ESTABLISHED
    tcp 0 1 192.168.0.113:34225 200.28.244.146:113 SYN_SENT
    tcp 0 14 192.168.0.113:25 200.71.62.100:4909 ESTABLISHED
    tcp 0 56 192.168.0.113:25 201.27.26.188:2417 ESTABLISHED
    tcp 0 0 192.168.0.113:25 211.199.105.174:3466 ESTABLISHED
    tcp 0 0 192.168.0.113:25 219.133.59.10:3103 ESTABLISHED
    tcp 0 0 192.168.0.113:25 219.133.59.10:4184 ESTABLISHED
    tcp 0 0 192.168.0.113:25 200.208.227.121:2598 ESTABLISHED
    tcp6 0 0 :::995 :::* LISTEN
    tcp6 0 0 :::110 :::* LISTEN
    tcp6 0 0 :::80 :::* LISTEN
    tcp6 0 0 :::22 :::* LISTEN
    tcp6 0 3216 ::ffff:192.168.0.113:22 ::ffff:192.168.0.:33237 ESTABLISHED

  9. #8
    Just Joined!
    Join Date
    Nov 2004
    Posts
    48
    I found my problem. Apparently I need to read up on configuring exim4. It checked the exim4 mainlog file and it was filled with attempted mail relays! I stopped exim4 and killed all of it's processes. Now all is quiet.

    If anyone has any suggested reads on properly configuring exim4 behind a firewall (NAT) I would appreciate it.

  10. #9
    Linux Enthusiast
    Join Date
    Dec 2004
    Posts
    637
    Glad to hear that you found the problem and at least you didn't get blacklisted!

  11. #10
    Just Joined!
    Join Date
    Nov 2004
    Posts
    48
    Quote Originally Posted by gtmtnbiker98
    Glad to hear that you found the problem and at least you didn't get blacklisted!
    I guess I will see if I did when I properly configure things. I use a "smarthost" to send all of my outgoing mail throuhg, so I am hoping I am ok.

    Thank you again for your help! I learned some useful commands that I know I will be using in the future!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •