Loads of connections to server causing websites to run slow
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Loads of connections to server causing websites to run slow
Hi,
I am having a bit of trouble over the last couple of days with my websites running slow. I've had a look at my mrtg graphs and it appears that there are an unusually large number of open TCP connections as you can see here:
When I stop httpd the connections go away but as soon as I restart it they come back - do you think someone is doin this on purpose? and is there a way of findong the IP that is opening up so many connections so I can block it? (hopefully it is only 1 IP)
Any help will be much appreciated,
Thanks
EDIT: it also seems to be using up a good 5-6Mbps of bandwidth
I think I might have sorted it, I ran netstat -punta and saw loads of connections from on IP address so have blocked it using iptables and restarted httpd.
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
That sounds like you're getting whacked by our friends in Korea, China or perhaps eastern Europe? You may want to take a look at DenyHosts at http://denyhosts.sourceforge.net. When those wonderful sites try breaking in (usually by trying to get through SSH plus other tricks), one of your system logs (/var/log/messages in my case) records that and DenyHosts essentially notices and adds the IP address of the offender to /etc/hosts.deny (this is quite effective, by the way). It also reports the IP address to a central repository to be shared with other "victims."
It's worth a look, another tool in the arsenal, and you don't really have to mess with it -- runs as a daemon, cleans up after itself, and really reduces the problem.
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-04-28 21:33 CST
Interesting ports on server1.bellonline.co.uk (91.186.4.51):
Not shown: 1660 closed ports
PORT STATE SERVICE
1/tcp open tcpmux
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
465/tcp open smtps
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
1720/tcp filtered H.323/Q.931
3306/tcp open mysql
8000/tcp open http-alt
Nmap finished: 1 IP address (1 host up) scanned in 102.843 seconds
Unless you need all of these ports I sugest you close off all the ones you do not need. Also change the ssh port to a nonstandard port to slow down automated attacks. You also should upgrade apache to 2.2.4 instead of running version 1.3.
Are you running this from home on a DSL connection? Maybe you should tighten your firewall on your modem/router and also run a firewall on your Linux box too. Use tor (installed on that machine or another machine), to test your open ports on your server using nmap.
I'll look in to changing SSH to a non standard port, I do need the ports open as I run websites, email, and need externat sites to be able to use the mysql on the server. There are also a few shoutcast servers on there so other ports are open. I have been advised not to change to Apache2 as I have cPanel/WHM installed on the server and it is apparently very buggy when used with Apache2.
The IP that I blocked was from Macedonia.
I'll have a look at denyhosts, it looks interesting.
You don't want the windows networking ports or the printing port open on the outside facing interface.
You might want the mysql port to be going through an ssh tunnel instead. Or connect your remote sites together via vpn. With the active directory and Windows networking ports open, it looks like your website is located in a LAN instead of outside in a DMZ.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.