Re: Strange outbound connections
On Sat, 2006-02-04 at 13:22 +0100, Johannes Wiedersich wrote:
> I have a web- and mail server that shows strange outbound connections.
>
> If I
>
> llserv:~# cat /proc/net/ip_conntrack
>
> I get lines like this (one line, wraped by e-mail editor):
>
> tcp 6 362459 ESTABLISHED src=my.server.s.ip dst=84.145.105.4
> sport=80 dport=1575 [UNREPLIED] src=84.145.105.4 dst=my.server.s.ip
> sport=1575 dport=80 use=1
>
> This appears as an 'outbound connection on port 1575' on my firewall
> gui. There are quite a few of those and they stay for days (probably
> more than a week), untill they 'magically' disappear again. The port
> numbers are all large, say larger than 1024 and up to about 60000 and
> all different.
connection tracking is used to track 'established' connections, to allow
you to for example block outbound connections from your server unless
there was first an incoming connection on an allowed port.
Your running a webserver, so it the connection you listed with a
destination port of 80 seems perfectly fine. The remote side of the
connection is using a higher port number, this is common I believe.
Usually ports under 1024 or whatever are restricted, requiring root
access (unix), and therefore are used for listening server services such
as www, ftp, etc.
On my webserver I setup outbound connection blocking, for connections
that were not first established on my allowed inbound ports. This has
helped me prevent my servers from being used as DDOS zombies for script
kiddies. Several times, faulty customer cgi's were tricked into allowing
arbitrary commands to run, and so programs were being installed in /tmp
and used to establish new outbound connections (to call home, DOS or
whatever).
> netstat -a --numeric
> or netstat -plant
>
> doesn't report anything on these connections.
>
> lsof -i
>
> doesn't neither.
>
> I've run chkrootkit on the filesystem from a Knoppix CD and it found
> nothing.
>
> I've run ethereal for hours and it found nothing.
>
> If I
> llserv:~# grep "84.145.105.4" /var/log/apache2/access.log
>
> I see some hits, but they are days old and all have a http status code
> of 200 (OK), 304 (not modified) or 206 (partial content).
>
> From all this I would guess, that nothing is wrong; however, I am still
> slightly worried, why my server would initiate an outgoing connection on
> non-standard ports to 'strange' IPs (ie. ones without dns entries).
>
> How could I make *sure* that everything is ok?
I think you did everything there is to do, some people on this list may
have additional suggestions, and I am sure a few some might recommend
you read the securing debian manual.
> How could I determine which process matches this connection?
what processes do you have listening on port 80? Unless you notice a
strange process listening there, not apache, or your are afraid your
server has been rooted (you can't trust anything then) I wouldn't worry
much about it. Also I would be concerned maybe if I could not find the
connection in my apache logs, which is not the case for you.
> Is there a way to set a limit on how long such connections remain open?
good question, I would read up on the iptables/connection tracking.
>
> Thanks for any help and links!
>
> Johannes
>
> NB: I'm running debian sarge (stable) on this mail and web server.
links: http://www.google.com
Regards,
--
Vittorio R Tracy <vrt@fastmetrics.com>
Fastmetrics LLC.
Reply to: