scatteredbomb Posted May 17, 2012 Share Posted May 17, 2012 I've been having some problems with the my forum lately (slow loading times, server services failing (spamd specifically)) so I was going through this forum looking for ideas on how to troubleshoot this. I ran this command to see how many connections were being made on the server and this is the result root@srv1064 [~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn 62 78.54.22.249 56 200.89.57.245 46 93.97.128.48 24 83.32.191.42 19 93.197.103.25 15 66.249.72.207 15 178.14.35.241 9 92.138.217.185 9 121.54.64.27 7 86.46.146.228 7 82.120.244.110 3 80.236.49.9 2 71.213.171.151 2 68.3.220.246 2 23.20.98.177 2 127.0.0.1 1 servers) 1 Address 1 98.165.203.135 1 84.52.163.249 1 70.100.50.106 1 69.63.189.250 1 69.171.234.4 1 69.171.234.0 1 68.146.14.52 1 23.20.15.85 1 213.64.151.130 1 2.102.227.35 1 195.113.192.130 1 184.146.81.188 1 176.249.103.196 Is it normal for so many connections to come from one IP? Any ideas or suggestions on what I could do to help solve my issues. Thank you! Link to comment Share on other sites More sharing options...
Mark H Posted May 18, 2012 Share Posted May 18, 2012 Only you would know for certain if they have a legitimate reason for doing that, based on your site and content, but running the first few IP's through WHOIS shows that they resolve as follows: 78.54.22.249 - Germany 200.89.57.245 - Chile 93.97.128.48 - Great Britain 83.32.191.42 - Spain 93.197.103.25 - Germany again 178.14.35.241 - Germany again Now 66.249.72.207 - that's Google, so yes, it should be "normal". If you don't want those visitors at all, it would be best to block them at the firewall or with an htaccess file. Link to comment Share on other sites More sharing options...
Grumpy Posted May 18, 2012 Share Posted May 18, 2012 62 connection is not necessarily abnormal. There are real people who might even reach much higher numbers given your website's contents. Large number of connection can happen from real and legitimate people. For example, if they have a slow internet, their requests are handled over a longer period of time. But, they will still request the same amount of stuff. So, they will appear to have large number of connections. This is often seen and reported when dealing with people over 2G connection... slow cell phone connection that's keeping lot of active connection, but too slow to cut them off in a timely manner. This causes an non-intentional slowloris attacks at times. There are also other reasons for large connection count. One of them is public proxies. A large number of people can be connecting to your website through a single proxy. Then, everyone using it will appear to have that address. Usage of proxy is not necessarily abnormal. For example, Singapore has a country wide proxy. So, nearly the entire country population is filtered through a handful of IPs when seen from outside. To say the connection count is legitimate or not, you'll need to cross reference that with other resources. For example, looking at the usage logs, you can see if they're requesting for "normal" stuff, or having an odd behavior. Link to comment Share on other sites More sharing options...
Rhett Posted May 18, 2012 Share Posted May 18, 2012 The number of connections can vary widely also based on your apache keepalive settings... if you have a default of 5 then 1-30 is pretty much normal, however some modern browsers have what's called "prefetch" on them and there are also many add ons that do this as well for some browsers that don't support it stock, this will create many more connections then normal. If you see something over 100 or a few of them over 100, then I would start to worry and ban them... if they are legit members, you will hear about it. :smile: Link to comment Share on other sites More sharing options...
p4guru Posted May 18, 2012 Share Posted May 18, 2012 sign up to projecthoneypot.org and search the ips on their database http://www.projectho...g/search_ip.php to see if they are worthy of being blocked :smile: i.e. 2nd ip is comment spam http://www.projectho...p_200.89.57.245 200.89.57.245 . Below we've reported some other data associated with this IP. This interrelated data helps map spammers' networks and aids in law enforcement efforts. If you know something about this IP, please . The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail serverleave a comment Lookup IP In:Domain Tools | SpamHaus | Spamcop | SenderBase | Google Groups | Google Link to comment Share on other sites More sharing options...
Robulosity2 Posted May 18, 2012 Share Posted May 18, 2012 sign up to projecthoneypot.org and search the ips on their database http://www.projectho...g/search_ip.php to see if they are worthy of being blocked :smile: i.e. 2nd ip is comment spam http://www.projectho...p_200.89.57.245 ;) So a list that checks honey pots (which has absolutely nothing to do with what this persons issue is, being honey pots = mail, not apache) so it could be a company with a dynamic IP on their internet connection running a single server with mail, proxy etc.. Clearly this site knows what they are doing especially since they don't even do list expiration, and with all of 6 messages? Ok so one user was probably compromised for a few minutes.. Last Received From within 1 year, 10 months, 1 week *eye roll* If you want to check specificly for IP's that are known for battering up Forums use http://stopforumspam.com/ there is even a hook/plug in for IP Board in the market place as far as I know Link to comment Share on other sites More sharing options...
p4guru Posted May 18, 2012 Share Posted May 18, 2012 true although an ip doesn't have to be reserved just for a mail server i've see lots of ips listed on projecthoneypot doing the forum spambot rounds myself Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.