Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - General
User Name
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.


  Search this Thread
Old 04-28-2007, 07:17 AM   #1
Registered: Nov 2006
Posts: 54

Rep: Reputation: 15
Loads of connections to server causing websites to run slow


I am having a bit of trouble over the last couple of days with my websites running slow. I've had a look at my mrtg graphs and it appears that there are an unusually large number of open TCP connections as you can see here:

When I stop httpd the connections go away but as soon as I restart it they come back - do you think someone is doin this on purpose? and is there a way of findong the IP that is opening up so many connections so I can block it? (hopefully it is only 1 IP)

Any help will be much appreciated,


EDIT: it also seems to be using up a good 5-6Mbps of bandwidth

Last edited by GavB; 04-28-2007 at 07:18 AM.
Old 04-28-2007, 07:46 AM   #2
Registered: Nov 2006
Posts: 54

Original Poster
Rep: Reputation: 15
I think I might have sorted it, I ran netstat -punta and saw loads of connections from on IP address so have blocked it using iptables and restarted httpd.

All seems normal now
Old 04-28-2007, 07:53 AM   #3
Senior Member
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060
That sounds like you're getting whacked by our friends in Korea, China or perhaps eastern Europe? You may want to take a look at DenyHosts at When those wonderful sites try breaking in (usually by trying to get through SSH plus other tricks), one of your system logs (/var/log/messages in my case) records that and DenyHosts essentially notices and adds the IP address of the offender to /etc/hosts.deny (this is quite effective, by the way). It also reports the IP address to a central repository to be shared with other "victims."

It's worth a look, another tool in the arsenal, and you don't really have to mess with it -- runs as a daemon, cleans up after itself, and really reduces the problem.
Old 04-28-2007, 08:20 AM   #4
Registered: Apr 2007
Location: Adelaide, Australia
Distribution: Ubuntu 8.10 and 7.10 server
Posts: 95

Rep: Reputation: 15

These are the ports that are open on your server
Starting Nmap 4.11 ( ) at 2007-04-28 21:33 CST
Interesting ports on (
Not shown: 1660 closed ports
1/tcp    open     tcpmux
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   filtered smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open     pop3
111/tcp  open     rpcbind
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap
443/tcp  open     https
445/tcp  filtered microsoft-ds
465/tcp  open     smtps
631/tcp  open     ipp
993/tcp  open     imaps
995/tcp  open     pop3s
1720/tcp filtered H.323/Q.931
3306/tcp open     mysql
8000/tcp open     http-alt

Nmap finished: 1 IP address (1 host up) scanned in 102.843 seconds
Unless you need all of these ports I sugest you close off all the ones you do not need. Also change the ssh port to a nonstandard port to slow down automated attacks. You also should upgrade apache to 2.2.4 instead of running version 1.3.
Are you running this from home on a DSL connection? Maybe you should tighten your firewall on your modem/router and also run a firewall on your Linux box too. Use tor (installed on that machine or another machine), to test your open ports on your server using nmap.
Old 04-28-2007, 09:24 AM   #5
Registered: Nov 2006
Posts: 54

Original Poster
Rep: Reputation: 15
Hi, thanks for all of your advice

I'll look in to changing SSH to a non standard port, I do need the ports open as I run websites, email, and need externat sites to be able to use the mysql on the server. There are also a few shoutcast servers on there so other ports are open. I have been advised not to change to Apache2 as I have cPanel/WHM installed on the server and it is apparently very buggy when used with Apache2.

The IP that I blocked was from Macedonia.

I'll have a look at denyhosts, it looks interesting.
Old 04-28-2007, 09:30 AM   #6
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
Some of these ports should not be open on the internet.
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
631/tcp open ipp
You don't want the windows networking ports or the printing port open on the outside facing interface.

You might want the mysql port to be going through an ssh tunnel instead. Or connect your remote sites together via vpn. With the active directory and Windows networking ports open, it looks like your website is located in a LAN instead of outside in a DMZ.

Last edited by jschiwal; 04-28-2007 at 09:36 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help determining what's causing a server to be slow ImLagging Linux - General 4 12-07-2006 12:28 AM
Firefox problem: "a script in this movie is causing MM-Flashplayer7 to run slow" oskar Linux - General 2 09-05-2006 02:01 AM
LILO loads slow devit Linux - Laptop and Netbook 2 08-05-2006 10:30 AM
Slow page loads! Lul2x Linux - Software 4 06-27-2004 12:56 PM
NFS Server causing SLOW System mudelf Linux - Software 0 09-24-2003 06:35 AM > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 05:43 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration