Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted May 17, 201212 yr I've been having some problems with the my forum lately (slow loading times, server services failing (spamd specifically)) so I was going through this forum looking for ideas on how to troubleshoot this. I ran this command to see how many connections were being made on the server and this is the result root@srv1064 [~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn 62 78.54.22.249 56 200.89.57.245 46 93.97.128.48 24 83.32.191.42 19 93.197.103.25 15 66.249.72.207 15 178.14.35.241 9 92.138.217.185 9 121.54.64.27 7 86.46.146.228 7 82.120.244.110 3 80.236.49.9 2 71.213.171.151 2 68.3.220.246 2 23.20.98.177 2 127.0.0.1 1 servers) 1 Address 1 98.165.203.135 1 84.52.163.249 1 70.100.50.106 1 69.63.189.250 1 69.171.234.4 1 69.171.234.0 1 68.146.14.52 1 23.20.15.85 1 213.64.151.130 1 2.102.227.35 1 195.113.192.130 1 184.146.81.188 1 176.249.103.196 Is it normal for so many connections to come from one IP? Any ideas or suggestions on what I could do to help solve my issues. Thank you!
May 18, 201212 yr Only you would know for certain if they have a legitimate reason for doing that, based on your site and content, but running the first few IP's through WHOIS shows that they resolve as follows: 78.54.22.249 - Germany 200.89.57.245 - Chile 93.97.128.48 - Great Britain 83.32.191.42 - Spain 93.197.103.25 - Germany again 178.14.35.241 - Germany again Now 66.249.72.207 - that's Google, so yes, it should be "normal". If you don't want those visitors at all, it would be best to block them at the firewall or with an htaccess file.
May 18, 201212 yr 62 connection is not necessarily abnormal. There are real people who might even reach much higher numbers given your website's contents. Large number of connection can happen from real and legitimate people. For example, if they have a slow internet, their requests are handled over a longer period of time. But, they will still request the same amount of stuff. So, they will appear to have large number of connections. This is often seen and reported when dealing with people over 2G connection... slow cell phone connection that's keeping lot of active connection, but too slow to cut them off in a timely manner. This causes an non-intentional slowloris attacks at times. There are also other reasons for large connection count. One of them is public proxies. A large number of people can be connecting to your website through a single proxy. Then, everyone using it will appear to have that address. Usage of proxy is not necessarily abnormal. For example, Singapore has a country wide proxy. So, nearly the entire country population is filtered through a handful of IPs when seen from outside. To say the connection count is legitimate or not, you'll need to cross reference that with other resources. For example, looking at the usage logs, you can see if they're requesting for "normal" stuff, or having an odd behavior.
May 18, 201212 yr The number of connections can vary widely also based on your apache keepalive settings... if you have a default of 5 then 1-30 is pretty much normal, however some modern browsers have what's called "prefetch" on them and there are also many add ons that do this as well for some browsers that don't support it stock, this will create many more connections then normal. If you see something over 100 or a few of them over 100, then I would start to worry and ban them... if they are legit members, you will hear about it. :smile:
May 18, 201212 yr sign up to projecthoneypot.org and search the ips on their database http://www.projectho...g/search_ip.php to see if they are worthy of being blocked :smile: i.e. 2nd ip is comment spam http://www.projectho...p_200.89.57.245 200.89.57.245 . Below we've reported some other data associated with this IP. This interrelated data helps map spammers' networks and aids in law enforcement efforts. If you know something about this IP, please . The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail serverleave a comment Lookup IP In:Domain Tools | SpamHaus | Spamcop | SenderBase | Google Groups | Google
May 18, 201212 yr sign up to projecthoneypot.org and search the ips on their database http://www.projectho...g/search_ip.php to see if they are worthy of being blocked :smile: i.e. 2nd ip is comment spam http://www.projectho...p_200.89.57.245 ;) So a list that checks honey pots (which has absolutely nothing to do with what this persons issue is, being honey pots = mail, not apache) so it could be a company with a dynamic IP on their internet connection running a single server with mail, proxy etc.. Clearly this site knows what they are doing especially since they don't even do list expiration, and with all of 6 messages? Ok so one user was probably compromised for a few minutes.. Last Received From within 1 year, 10 months, 1 week *eye roll* If you want to check specificly for IP's that are known for battering up Forums use http://stopforumspam.com/ there is even a hook/plug in for IP Board in the market place as far as I know
May 18, 201212 yr true although an ip doesn't have to be reserved just for a mail server i've see lots of ips listed on projecthoneypot doing the forum spambot rounds myself
Archived
This topic is now archived and is closed to further replies.