View Single Post
  #3  
Old 17th November 2010, 08:54
mesoto mesoto is offline
Junior Member
 
Join Date: Aug 2010
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Good morning,

This is my firewall configuration. I try to block several times different ip's. But after every block, after 20-30 sec i receive new connection. After that i try to block only port and again after 20-50 sec i receive on another port new connection from different ip. I don't have working application on this port but i still receive "SYN_SENT or ESTABLISHED 6096/crond".

How can I investigate this ?
I have configured fail2ban but there is nothing in log?

In this moment status of connection is

Code:
tcp        0      1 hosting.xxxxx.or:38785 xowii.com:5823          SYN_SENT    6096/crond
iptables.rules
Code:
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 953 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8989 -j ACCEPT

### BLOCK SUSPICIOUS IP LIST ###
-A INPUT -s 212.39.83.0/255.255.255.0 -j DROP
-A INPUT -s 205.186.0.0/255.255.0.0 -j DROP
-A OUTPUT -d 205.186.0.0/255.255.0.0 -j DROP
-A INPUT -s 64.13.252.0/255.255.255.0 -j DROP
-A OUTPUT -d 64.13.252.0/255.255.255.0 -j DROP
### END OF SUSPICIOUS IP LIST ###

-A INPUT -j DROP

This is netstat -tap

Code:
netcat           netkit-ftp       net-snmp-config  netstat
root@hosting:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost.localdo:10024 *:*                     LISTEN      5168/amavisd (maste
tcp        0      0 localhost.localdo:10025 *:*                     LISTEN      5808/master
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN      26407/mysqld
tcp        0      0 localhost.localdo:11211 *:*                     LISTEN      12421/memcached
tcp        0      0 localhost.localdo:spamd *:*                     LISTEN      5315/spamd.pid
tcp        0      0 *:ftp                   *:*                     LISTEN      25251/pure-ftpd (SE
tcp        0      0 192.168.1.1:domain      *:*                     LISTEN      5111/named
tcp        0      0 hosting.xxxxxx.o:domain *:*                     LISTEN      5111/named
tcp        0      0 localhost.locald:domain *:*                     LISTEN      5111/named
tcp        0      0 *:smtp                  *:*                     LISTEN      5808/master
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN      5111/named
tcp        0      0 localhost.localdo:mysql localhost.localdo:55938 TIME_WAIT   -
tcp        0      0 localhost.localdo:55936 localhost.localdo:mysql TIME_WAIT   -
tcp        0      1 hosting.xxxxxx.or:38785 xowii.com:5823          SYN_SENT    6096/crond
tcp        0      0 localhost.localdo:55930 localhost.localdo:mysql TIME_WAIT   -
tcp        0      0 localhost.localdo:55933 localhost.localdo:mysql TIME_WAIT   -
tcp        0      0 localhost.localdo:mysql localhost.localdo:46055 ESTABLISHED 26407/mysqld
tcp        0      0 hosting.xxxxx.org:smtp 221.234.9.46:4737       ESTABLISHED 27484/smtpd
tcp        0      0 localhost.localdo:46055 localhost.localdo:mysql ESTABLISHED 20291/amavisd (ch1-
tcp        0      0 localhost.localdo:55931 localhost.localdo:mysql TIME_WAIT   -
tcp        0      0 localhost.localdo:55929 localhost.localdo:mysql TIME_WAIT   -
tcp        0      0 localhost.localdo:55934 localhost.localdo:mysql TIME_WAIT   -
tcp        0      0 localhost.localdo:55935 localhost.localdo:mysql TIME_WAIT   -
tcp        0      0 localhost.localdo:55932 localhost.localdo:mysql TIME_WAIT   -
tcp        0      0 localhost.localdo:55937 localhost.localdo:mysql TIME_WAIT   -
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN      5700/couriertcpd
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN      5734/couriertcpd
tcp6       0      0 [::]:pop3               [::]:*                  LISTEN      5714/couriertcpd
tcp6       0      0 [::]:imap2              [::]:*                  LISTEN      5680/couriertcpd
tcp6       0      0 [::]:webcache           [::]:*                  LISTEN      789/apache2
tcp6       0      0 [::]:www                [::]:*                  LISTEN      789/apache2
tcp6       0      0 [::]:2929               [::]:*                  LISTEN      3021/sshd
tcp6       0      0 [::]:tproxy             [::]:*                  LISTEN      789/apache2
tcp6       0      0 [::]:ftp                [::]:*                  LISTEN      25251/pure-ftpd (SE
tcp6       0      0 [::]:domain             [::]:*                  LISTEN      5111/named
tcp6       0      0 ip6-localhost:953       [::]:*                  LISTEN      5111/named
tcp6       0      0 [::]:https              [::]:*                  LISTEN      789/apache2

Last edited by mesoto; 17th November 2010 at 11:21.
Reply With Quote