0

I have installed ddos deflate on my sever (centos6.5 64bit) and in server mailbox I see that ddos deflate has been blacklisted empty Ip.
and when I run this command on ssh I see:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
...
3 2.186.85.154
3 5.134.135.148
3 5.239.236.176
3 5.250.23.249
3 78.39.67.226
3 95.80.153.13
4 87.248.150.152
9 199.201.121.153
22 95.80.176.162
762 127.0.0.1
4649

You see that there is 4649 connections from empty IP. what is cause of this problem and How can I solve it?

Mehdi Azizi
  • 51
  • 11

3 Answers3

5

Your picking up ipv6 network connections which often have a number of colons in them. The cut command doesnt take this into account when snipping the colons out from the IP address.

Might be more suitable to use egrep instead of cut in that case I guess.

Matthew Ife
  • 22,927
  • 2
  • 54
  • 71
1

My guess is that the problem lies with 'awk' and/or 'cut' commands. What I would do is run the following command:

netstat -ntu | awk '{print $5}' | egrep -v '127.0.0.1|95.80.176.162|199.201.121.153'

and look through it's output. Since the command shows 4649 whitespaces, I presume you'll figure it out when you see the output what's wrong. You will probably have to write a little more intelligent parsers for netstat and incorporate it into "ddos deflate". If you have trouble, post the output here.

Jakov Sosic
  • 5,157
  • 3
  • 22
  • 33
1

Its the problem with awk & cut command. You have to analyse the output of netstat first.

Follow this question.

Community
  • 1
Gaurav Pundir
  • 1,376
  • 11
  • 14