Netstat output...CLOSE_WAIT...security

briwood · 06-11-2007, 10:33 AM

Hi,

I'm a bit inexperienced in networking... If anyone has suggestions/pointers they would be much appreciated.

When I ssh to my router (a linksys wrt54g running VeryBusyBox v1.2.1 (DD-WRT v23 SP2) and do a netstat -a I see a bunch of CLOSE_WAIT connections from random places. (BTW - tried asking in the DD-WRT forums, but no love.)

Code:

~ # netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:domain                *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 *:https                 *:*                     LISTEN
tcp        1      0 DD-WRT:https            222.216.28.147:1871     CLOSE_WAIT
tcp      294      0 DD-WRT:https            222.216.28.147:3091     CLOSE_WAIT
tcp       47      0 DD-WRT:https            intra-works.com:3353    CLOSE_WAIT
tcp        4      0 DD-WRT:https            222.216.28.147:3107     CLOSE_WAIT
tcp      360      0 DD-WRT:https            hn.kd.ny.adsl:4991      CLOSE_WAIT
tcp        1      0 DD-WRT:https            222.216.28.147:2199     CLOSE_WAIT
tcp       10      0 DD-WRT:https            222.216.28.147:3263     CLOSE_WAIT
tcp      294      0 DD-WRT:https            222.216.28.147:1705     CLOSE_WAIT
tcp    32345      0 DD-WRT:3121             192.168.1.200:9000      ESTABLISHED
tcp        1      0 DD-WRT:https            222.216.28.147:2654     CLOSE_WAIT
tcp      360      0 DD-WRT:https            hn.kd.ny.adsl:1410      CLOSE_WAIT
tcp      294      0 DD-WRT:https            222.216.28.147:3856     CLOSE_WAIT
tcp        0      0 69-12-152-227.dsl.:4658 checkip.chi.dyndns.:www CLOSE_WAIT
tcp        0   3580 DD-WRT:ssh              b2105-210j-2.Chanc:1974 ESTABLISHED
tcp        4      0 DD-WRT:https            222.216.28.147:4568     CLOSE_WAIT
tcp      294      0 DD-WRT:https            222.216.28.147:3524     CLOSE_WAIT
tcp      242      0 DD-WRT:https            hn.kd.ny.adsl:2642      CLOSE_WAIT
tcp      360      0 DD-WRT:https            hn.kd.ny.adsl:1624      CLOSE_WAIT
tcp        1      0 DD-WRT:https            122.200.64.111:3995     CLOSE_WAIT
tcp        4      0 DD-WRT:https            222.216.28.147:1666     CLOSE_WAIT
tcp       10      0 DD-WRT:https            222.216.28.147:4520     CLOSE_WAIT
tcp      294      0 DD-WRT:https            222.216.28.147:1466     CLOSE_WAIT
tcp        1      0 DD-WRT:https            122.200.64.111:2211     CLOSE_WAIT
tcp        4      0 DD-WRT:https            222.216.28.147:4780     CLOSE_WAIT
tcp      360      0 DD-WRT:https            hn.kd.ny.adsl:1576      CLOSE_WAIT
tcp        0      0 DD-WRT:3360             192.168.1.200:9000      ESTABLISHED
tcp        4      0 DD-WRT:https            222.216.28.147:3748     CLOSE_WAIT
udp        0      0 *:2056                  *:*
udp        0      0 *:domain                *:*
udp        0      0 *:bootps                *:*
raw        0      0 *:255                   *:*                     0
raw        0      0 *:255                   *:*                     0
raw        0      0 *:255                   *:*                     0
raw        0      0 *:255                   *:*                     0
raw        0      0 *:255                   *:*                     0
raw        0      0 *:255                   *:*                     0
raw        0      0 *:255                   *:*                     0
raw        0      0 *:255                   *:*                     0
raw        0      0 *:255                   *:*                     0
raw        0      0 *:255                   *:*                     0
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  3      [ ]         STREAM     CONNECTED     54093130
unix  3      [ ]         STREAM     CONNECTED     54093129
unix  3      [ ]         STREAM     CONNECTED     26326584
unix  3      [ ]         STREAM     CONNECTED     26326583
~ #

The only established connections are me. What are these CLOSE_WAIT connections? Are they people trying to hack my web ui password? Should I be worried?

I have a dyndns domain pointing at my router so that I can get to it remotely.

In an effort to fix these close_wait connections I tried adding these settings:

Quote:

Enter the following values at 'IP Filter Settings'

* Maximum Ports: 4096
* TCP Timeout (s): 3600 to 90 (decrease if you have many TCP connections)
* UDP Timeout (s): 3600 to 90 (decrease if you have many UDP connections)

...but the problem persists.

Here ps output on the router while these other connections are present.

Code:

~ # ps
  PID  Uid     VmSize Stat Command
    1 root        452 S   /sbin/init noinitrd
    2 root            SW  [keventd]
    3 root            RWN [ksoftirqd_CPU0]
    4 root            SW  [kswapd]
    5 root            SW  [bdflush]
    6 root            SW  [kupdated]
   12 root            SW  [mtdblockd]
   15 root        256 S   /sbin/watchdog
10693 root       1060 R   httpd -S
13555 root        304 S   resetbutton
13606 root        368 S   dnsmasq --conf-file /tmp/dnsmasq.conf
13609 root        296 S   /sbin/wland
13663 root        468 S   dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_ho
13823 root        348 S   process_monitor
13827 root        308 S   inadyn --input_file /tmp/ddns/inadyn.conf
13871 root        276 S   /usr/sbin/cron
13913 root        268 S   udhcpc -i vlan1 -p /var/run/udhcpc.pid -s /tmp/udhcpc
18984 root            Z   [sh]
  959 root        764 R   dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_ho
  962 root        528 S   -sh
 3711 root        404 R   ps
~ #

If I restart httpd I can get rid of all these close_wait connections and the web ui for the router is much quicker. (Web UI is protected by a very long password.)

I have ssh access and https turned on. I have port 9000 forwarded to a box on my lan (the app listening there, only accepts connections from one ip).

Any explanation/suggestions/pointers would be very much appreciated.

camh · 06-11-2007, 08:23 PM

It looks like people scanning your box or basically trying to exploit it. Is there a reason you need HTTPS access from outside your local network? If not, just disable/restrict this access from the internet.

briwood · 06-12-2007, 10:24 AM

Thanks much for the reply. Yep that makes a lot of sense. The CLOSE_WAITs were all via https, so disabling remote access to the gui seems like a likely fix. I did that last night, and so far the problem has not reemerged.

nx5000 · 06-12-2007, 10:37 AM

Quote:

What are these CLOSE_WAIT connections

I think your TCP/IP application on this machine is broken. It does not have a big implication AFAIK, apart from the fact that it can fill up your connection list (I think there is no timeout on this state so it will stay forever)

You should not see this, you should go directly to LAST_ACK state which is waiting for the client to close. If it doesn't arrive in 240 seconds (something like this), it goes to closed and is removed from the connection list.