hello all - a couple of weeks ago Eric was kind enough to share with me netstat to determine what is happening with my server. i have noticed that a couple of times a day, one IP number will be trying to break in. here is an example:
tcp 0 0 199.231.184.26:3306 119.10.1.206:1772 TIME_WAIT tcp 0 0 199.231.184.26:3306 119.10.1.206:3611 TIME_WAIT tcp 0 0 199.231.184.26:3306 119.10.1.206:3895 TIME_WAIT tcp 0 0 199.231.184.26:3306 119.10.1.206:1925 TIME_WAIT tcp 0 0 199.231.184.26:3306 119.10.1.206:4618 TIME_WAIT tcp 0 0 199.231.184.26:3306 119.10.1.206:2429 TIME_WAIT tcp 0 0 199.231.184.26:3306 119.10.1.206:4600 TIME_WAIT tcp 0 0 199.231.184.26:3306 119.10.1.206:2133 TIME_WAIT
is there a way, perhaps in csf, to stop an IP number from trying to access so many ports at any given time?
thank you all for your ongoing help.
Hi,
I'm not sure about CSF (never used it) but I'm sure you can, sorry I can't be more helpful.
I do know, however, that the port in the 3rd (4th?) column is the port used by MySQL servers generally. Is it possible that IP corresponds with a remote host entry for a database?
-Dustin
thanks dustin - usually i see port 80 not port 3306
for now, i have a php job running every two seconds calling netstat - and if i see more than 20 connections scanning all those ports, i issue a csf --tempdeny (--denytemp??) command.
but i am hoping for a better solution!