-1

I use nginx as proxy-server apache2 and I have a problem with netstat output:

$ netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

  5 109.195.36.169
  6 109.195.33.205
  8 194.190.59.4
 14 83.246.143.75
 19 109.195.33.201
725 127.0.0.1

Part of output: netstat -nt 

tcp        0      0 127.0.0.1:59703         127.0.0.1:8080          TIME_WAIT
tcp        0      0 127.0.0.1:11211         127.0.0.1:45684         ESTABLISHED
tcp        0      0 127.0.0.1:45848         127.0.0.1:11211         ESTABLISHED
tcp        1      0 127.0.0.1:8080          127.0.0.1:59867         CLOSE_WAIT

How to remove these localhost connections? Or this is normal behavior? I suspect that my site have DDOS-atack.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Sundved
  • 3
  • 2

1 Answers1

1

No actually. At least, the partial output of your netstat -nt is normal

tcp        0      0 127.0.0.1:59703         127.0.0.1:8080          TIME_WAIT
tcp        1      0 127.0.0.1:8080          127.0.0.1:59867         CLOSE_WAIT

This connection probably was made by nginx to apache as you run reverse proxy on it.

tcp        0      0 127.0.0.1:11211         127.0.0.1:45684         ESTABLISHED
tcp        0      0 127.0.0.1:45848         127.0.0.1:11211         ESTABLISHED

Port 11211 is regular port of memcache daemon. So, this connection probably was made by your web application to memcache server.

Also given the simple fact: attacker can't reach loopback address (127.0.0.1) from the outside - actually attacker can spoof it but he won't get the reply -, then it safe to bet that your server was 'fine'.

If there are many connection like above (port 8080 and 11211), then it may be indicator of many request in your nginx server. This will have effect:

  • nginx will make connection to apache.
  • apache will execute your web code thus make connection to memcache server if necessary.
Community
  • 1
masegaloeh
  • 17,978
  • 9
  • 56
  • 104