• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

http loads op childs with SYN_SEND

R

rembrandt

Guest
I have a little problem on one redhad server with PSA 7.5, apache opens loads of child processes, to muc, because with 5 to 6 minutes apache cant´t be reached. Only solution: restart apache, then it all starts over again.

Here´s a small portion of a netstat output:
Code: 
tcp  0 1 plesk.server:51034   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51029   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51028   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51031   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51030   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51025   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51024   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51027   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51026   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51005   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51004   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51007   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51006   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51001   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51000   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51003   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:51002   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:50997   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:50996   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:50999   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:50998   ip.ad.rr.ess:http    SYN_SENT
tcp  0 1 plesk.server:50995   ip.ad.rr.ess:http    SYN_SENT
The odd thing is, the connections are -all- to the same IPadress (which even can´t be reached over port 80).

Can anyone tell me what the heck is going wrong and preferably hand me a solution?
 
Probably a syn flood attack, try blocking the IP address in the firewall.

The IP can't be reached by port 80, probably since it's not another webserver, may be a zombied or infected PC.

If you have not done so, I would recommend installing (at least the following):

bw_mod
mod_security
APF/BFD

and possibly customizing the Apache RLimit settings.

Also in your firewall script (IPTABLES?) you can rate limit:
Examples:
-A FORWARD -i eth+ -p tcp --syn -m limit --limit 30/m -j ACCEPT
-A FORWARD -p tcp --syn -m limit --limit 30/m -j ACCEPT
-A FORWARD -p tcp -m tcp -m limit -i eth+ --tcp-flags SYN,RST,ACK SYN --limit 30/min -j ACCEPT
-A FORWARD -p tcp -m tcp -m limit --tcp-flags SYN,RST,ACK SYN --limit 30/min -j ACCEPT
 
Thx 4 the reply shadow, however i´ve blocked the IPadrress already (hell even the whole range) still nothing...
 
Strange, if an IP or range of IPs is blocked in the firewall, and firewall restarted, then those IPs should not be able to connect to your server.

What exactly did you specify in the firewall to block the IPs??

Should be something like:
-A INPUT -s ip.add.re.ss/32 -i eth+ -j DROP
(single IP)

-A INPUT -s ip.add.re.ss/24 -i eth+ -j DROP
(range of IPs, or /16 or /8)

Since it does not specify any given ports, it blocks them from all ports on the server.
 
I just put (first) the IPaddress in the "iptables-blocked-hosts" file and later the whole range, restarted iptables, but ... no go.. weird
 
That is very weird. I edited my earlier post, you could still install mod_security and bw_mod, and I suppose mod_dosevasive, and do the RLimit directives for Apache.
 
I know you have probably already run RKHunter and CHKrootkit, right?

And have you verified that the IP or range is not already listed (for whatever reason) in the allowed-hosts file? What IPTables control script are you using??
 
try add -p to netstat to see what is sending the SYN's

the reason your iptables rules aren't blocking it is because you're doing source: ip.addr.ess but the SYN's are coming FROM your machine going TO ip.addr.ress
 
Originally posted by mian
the reason your iptables rules aren't blocking it is because you're doing source: ip.addr.ess but the SYN's are coming FROM your machine going TO ip.addr.ress
Click to expand...
The reason the machine is sending, is/was because it received a lot of requests. "SYN_SENT" means that the server is trying to establish a connection.

My solution for this incident: rebuild my conf files for iptables, they probably got screwed up editing, put the IPrange in the "blocked hosts", restarted iptables and: all was quiet again.

Thx for all answers.
 
your machine was sending SYN packets to port 80 (http) of ip.addr.ess. this means your machine was trying to connect to someone elses webserver. they were not trying to connect to yours because they wouldn't use port 80 as a source socket.
 
You must log in or register to reply here.
Back
Top