Re: [CentOS] repeated local ephemeral to 80
well, first question: why don't you allow local access to port 80? There is no reason for that. This is httpd itself. Switch on the status page and then look for yourself. It's a well-known phenomenon since Apache 2.0 or 2.2. Kai ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] repeated local ephemeral to 80
On my CentOS box that I use mainly as a web server, I have iptables set to log and reject anything that I don't expect. So lately, I have getting things like this: Mar 29 17:27:20 mbrc20 kernel: IPT-DROP IN= OUT=lo SRC=192.168.9.20 DST=192.168.9.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46910 DF PROTO=TCP SPT=56624 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 OPT (0204400C0402080A4A26F7A501030307) UID=0 that on at least one occasion repeated for every few seconds for more than three hours. The ephemeral source port keeps changing in an irregular manner. Any suggestions? Thanks, Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] repeated local ephemeral to 80
Michael D. Berger wrote: On my CentOS box that I use mainly as a web server, I have iptables set to log and reject anything that I don't expect. So lately, I have getting things like this: Mar 29 17:27:20 mbrc20 kernel: IPT-DROP IN= OUT=lo SRC=192.168.9.20 DST=192.168.9.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46910 DF PROTO=TCP SPT=56624 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 OPT (0204400C0402080A4A26F7A501030307) UID=0 that on at least one occasion repeated for every few seconds for more than three hours. The ephemeral source port keeps changing in an irregular manner. snip Not great on this, but *if* I understand it, it's saying that the IP address of your server is 192.168.9.20, and it's talking to itself, at destination port 80 - apache, that would be. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] repeated local ephemeral to 80
On Fri, 01 Apr 2011 11:32:16 -0400, m.roth-x6lchVBUigD1P9xLtpHBDw wrote: Michael D. Berger wrote: [...] snip Not great on this, but *if* I understand it, it's saying that the IP address of your server is 192.168.9.20, and it's talking to itself, at destination port 80 - apache, that would be. mark Yes, that is true, but the question is who is doing the talking?. Another block of them just ended. It lasted just under an hour. Mike. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] repeated local ephemeral to 80
Michael D. Berger wrote: On Fri, 01 Apr 2011 11:32:16 -0400, m.roth-x6lchVBUigD1P9xLtpHBDw wrote: Michael D. Berger wrote: [...] snip Not great on this, but *if* I understand it, it's saying that the IP address of your server is 192.168.9.20, and it's talking to itself, at destination port 80 - apache, that would be. mark Yes, that is true, but the question is who is doing the talking?. Another block of them just ended. It lasted just under an hour. you might be able to see the process with netstat when it's happening. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] repeated local ephemeral to 80
On Fri, 01 Apr 2011 17:55:37 +0200, Nicolas Thierry-Mieg wrote: [...] you might be able to see the process with netstat when it's happening. I tried that; so far without success. Mike. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] repeated local ephemeral to 80
Michael D. Berger wrote: On Fri, 01 Apr 2011 17:55:37 +0200, Nicolas Thierry-Mieg wrote: [...] you might be able to see the process with netstat when it's happening. I tried that; so far without success. Mike. Hmmm, maybe lsof. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] repeated local ephemeral to 80
On 1.4.2011 17:20, Michael D. Berger wrote: On my CentOS box that I use mainly as a web server, I have iptables set to log and reject anything that I don't expect. So lately, I have getting things like this: Mar 29 17:27:20 mbrc20 kernel: IPT-DROP IN= OUT=lo SRC=192.168.9.20 DST=192.168.9.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46910 DF PROTO=TCP SPT=56624 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 OPT (0204400C0402080A4A26F7A501030307) UID=0 that on at least one occasion repeated for every few seconds for more than three hours. The ephemeral source port keeps changing in an irregular manner. Any suggestions? Too restrictive OUT=lo This is the loopback device! Add a rule that allows traffic from and to lo -- Kind Regards, Markus Falb signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] repeated local ephemeral to 80
On Fri, 01 Apr 2011 22:10:58 +0200, Markus Falb wrote: [...] Mar 29 17:27:20 mbrc20 kernel: IPT-DROP IN= OUT=lo SRC=192.168.9.20 DST=192.168.9.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46910 DF PROTO=TCP SPT=56624 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 OPT (0204400C0402080A4A26F7A501030307) UID=0 [...] Too restrictive OUT=lo This is the loopback device! Add a rule that allows traffic from and to lo What sort of thing might be using it? It only shows up every day or two. Mike. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos