server attacks and netstat

3 posts / 0 new
Last post
#1 Fri, 11/28/2014 - 11:10
edwardsmarkf

server attacks and netstat

hello all - a couple of weeks ago Eric was kind enough to share with me netstat to determine what is happening with my server. i have noticed that a couple of times a day, one IP number will be trying to break in. here is an example:

 tcp        0      0 199.231.184.26:3306        119.10.1.206:1772          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:3611          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:3895          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:1925          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:4618          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:2429          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:4600          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:2133          TIME_WAIT

is there a way, perhaps in csf, to stop an IP number from trying to access so many ports at any given time?

thank you all for your ongoing help.

Sun, 11/30/2014 - 15:18
ReArmedHalo

Hi,

I'm not sure about CSF (never used it) but I'm sure you can, sorry I can't be more helpful.

I do know, however, that the port in the 3rd (4th?) column is the port used by MySQL servers generally. Is it possible that IP corresponds with a remote host entry for a database?

-Dustin

Mon, 12/01/2014 - 09:55
edwardsmarkf

thanks dustin - usually i see port 80 not port 3306

for now, i have a php job running every two seconds calling netstat - and if i see more than 20 connections scanning all those ports, i issue a csf --tempdeny (--denytemp??) command.

but i am hoping for a better solution!

Topic locked