Find the answer to your Linux question:
Results 1 to 5 of 5
I do see there is an attack in our server and able to see the http connections as mentioned below netstat -anp |grep :80 | awk '{print $5}' | cut ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2009
    Posts
    8

    Strange http connection


    I do see there is an attack in our server and able to see the http connections as mentioned below

    netstat -anp |grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort


    1 78.60.147.216
    18 208.51.221.64
    1 84.169.231.166
    1 96.235.185.46
    2 202.156.10.11
    2 208.76.83.136
    25 204.8.241.140
    25 66.29.214.168
    31 74.86.121.93
    320
    3 60.49.62.207
    37 74.125.77.121

    We do see a connection with count 320 connections with out any ip address and could not find the ip address from which it is establishing the connection in large number.

    Any suggestions are appreciated.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    You could block/drop all packets that do not have a source address at the firewall.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jan 2009
    Posts
    8
    Could you let me know how to do that (with iptables)???

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    You should first try this in a test env to ensure nothing else will be affected.

    Code:
    iptables -A <INPUT/FORWARD> -s 0.0.0.0/32 -j DROP
    Using either INPUT or FORWARD as needed because I do not know where and how your firewall is setup. You could also add an interface to this rule so it is only applied to that interface and so on. This is just a basic rule. You should already be dropping new packets that are not syn packets.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined! vishesh's Avatar
    Join Date
    Jul 2009
    Location
    Delhi
    Posts
    36

    host.deny

    You can also use
    etc/hots.deny

    thnks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •