On Sat, 2006-02-04 at 13:22 +0100, Johannes Wiedersich wrote: > I have a web- and mail server that shows strange outbound connections. > > If I > > llserv:~# cat /proc/net/ip_conntrack > > I get lines like this (one line, wraped by e-mail editor): > > tcp 6 362459 ESTABLISHED src=my.server.s.ip dst=84.145.105.4 > sport=80 dport=1575 [UNREPLIED] src=84.145.105.4 dst=my.server.s.ip > sport=1575 dport=80 use=1 > > This appears as an 'outbound connection on port 1575' on my firewall > gui. There are quite a few of those and they stay for days (probably > more than a week), untill they 'magically' disappear again. The port > numbers are all large, say larger than 1024 and up to about 60000 and > all different.
connection tracking is used to track 'established' connections, to allow you to for example block outbound connections from your server unless there was first an incoming connection on an allowed port. Your running a webserver, so it the connection you listed with a destination port of 80 seems perfectly fine. The remote side of the connection is using a higher port number, this is common I believe. Usually ports under 1024 or whatever are restricted, requiring root access (unix), and therefore are used for listening server services such as www, ftp, etc. On my webserver I setup outbound connection blocking, for connections that were not first established on my allowed inbound ports. This has helped me prevent my servers from being used as DDOS zombies for script kiddies. Several times, faulty customer cgi's were tricked into allowing arbitrary commands to run, and so programs were being installed in /tmp and used to establish new outbound connections (to call home, DOS or whatever). > netstat -a --numeric > or netstat -plant > > doesn't report anything on these connections. > > lsof -i > > doesn't neither. > > I've run chkrootkit on the filesystem from a Knoppix CD and it found > nothing. > > I've run ethereal for hours and it found nothing. > > If I > llserv:~# grep "84.145.105.4" /var/log/apache2/access.log > > I see some hits, but they are days old and all have a http status code > of 200 (OK), 304 (not modified) or 206 (partial content). > > From all this I would guess, that nothing is wrong; however, I am still > slightly worried, why my server would initiate an outgoing connection on > non-standard ports to 'strange' IPs (ie. ones without dns entries). > > How could I make *sure* that everything is ok? I think you did everything there is to do, some people on this list may have additional suggestions, and I am sure a few some might recommend you read the securing debian manual. > How could I determine which process matches this connection? what processes do you have listening on port 80? Unless you notice a strange process listening there, not apache, or your are afraid your server has been rooted (you can't trust anything then) I wouldn't worry much about it. Also I would be concerned maybe if I could not find the connection in my apache logs, which is not the case for you. > Is there a way to set a limit on how long such connections remain open? good question, I would read up on the iptables/connection tracking. > > Thanks for any help and links! > > Johannes > > NB: I'm running debian sarge (stable) on this mail and web server. links: http://www.google.com Regards, -- Vittorio R Tracy <[EMAIL PROTECTED]> Fastmetrics LLC. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
