Knowledgebase
netstat results show 3 ips in same location with several connections
Posted by clrockwell, 03-13-2008, 09:56 AM | Hello again
Please bear in mind I'm new to server administration/security/troubleshooting, so I have included a lot of info here hoping it will help.
This started because a Linux VPS with CentOS and Exim crashed after only 3000 emails were sent (of 30000) total
I ran a netstat and several times I get three separate ips with the only difference being the last two digits and the port number:
86.104.230.29:59009
86.104.117.45:18065
89.37.137.157:41593
As far as I can tell they are from Romania, and there are several connections.
I have posted a lot of information below, if someone can take a look and give some ideas, it would be very much appreciated.
Thanks very much for any time you take on looking at this.
netstat:
ps -auxf
top:
vmstat 5 5
|
Posted by applicurearun, 03-13-2008, 11:25 AM | What about the apache logs? Look like DDOS and SYN_Recv Attacks. have you tried an apache restart or stop when your server load is high? Also you can block those IPs on the server.
|
Posted by clrockwell, 03-13-2008, 12:30 PM | Thanks applicurearun,
I looked into iptables and set them up for these ip blocks, and I did restart the VPS as soon as I got in this morning, I never knew it went down last night.
I have posted the apache logs from 3-13, I hope this gives some insight, it just seems like a whole lot of memory issues
Sar does not seem to be logging anymore, the last date it logged was 09, and that is not complete.
I need to get this fixed once and for all, and the frustration is building. I had sent an email to rack911, but never got a response. If anyone (with a good rep of course) would like to take a look, please pm with your cost.
Of course, I'm still hacking away at this myself and am taking advice.
Thanks again applicurearun
|
Posted by applicurearun, 03-14-2008, 12:26 PM | swap memory can do the click ;P allow more swap in your server.
|
|
Add to Favourites
Print this Article |
Also Read