Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: server status output |
|
Author |
|
WizardOfZo
Joined: 03 Jan 2007 Posts: 7
|
Posted: Wed 03 Jan '07 20:46 Post subject: server status output |
|
|
I am just starting up a LAMP server under Debian Etch and I notice in the Apache server-status output I am getting excessive lines like these:
Code: |
17-0 - 0/0/383 . 0.00 5370 0 0.0 0.00 1.85 ::1 mywebsite.com GET / HTTP/1.0
18-0 - 0/0/410 . 0.00 5368 0 0.0 0.00 2.12 ::1 mywebsite.com GET / HTTP/1.0
19-0 - 0/0/30 . 0.00 59893 0 0.0 0.00 0.07 ::1 mywebsite.com GET / HTTP/1.0
.
.
.
71-0 - 0/0/1 . 0.00 93639 0 0.0 0.00 0.01 ::1 mywebsite.com GET / HTTP/1.0
72-0 - 0/0/1 . 0.00 93636 0 0.0 0.00 0.01 ::1 mywebsite.com GET / HTTP/1.0
|
I am using prefork with the default settings in the config file
What would cause all these to stay open, and how can I fix it?
Thanks |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Thu 04 Jan '07 2:59 Post subject: |
|
|
I think you might be misunderstanding the extended server-status output.
This looks like Apache 1.3.34, which is the version currently used in the Debian Etch 'Testing' distribution.
If so - near the top of the status output there should be a line like this: Quote: | 1 requests currently being processed, 9 idle servers |
which shows how many Apache processes are still running, either handling requests or waiting for them.
The scoreboard list in the lower part of the status shows recent requests, not just current requests.
The entries in this section without a PID are requests which were recently handled by Apache processes which have since exited.
Not all the entries in this list represent currently open connections. Only the entries with an uppercase letter in the 'M'ode column represent current network connections.
-tom- |
|
Back to top |
|
WizardOfZo
Joined: 03 Jan 2007 Posts: 7
|
Posted: Thu 04 Jan '07 3:16 Post subject: |
|
|
Apache 2 is in Etch, and it is great, I used it under FreeBSD for a few years. This is my first try at using server-status. I wont worry about all the lines.
I was concerned because I think I may have some form of intrusion that is trying to send data packets with a length of 427 and 576 out from the server on oddball TCP ports like 49922, 49923and 50407 I have outbound ports blocked (except for 80)
Code: | Server Version: Apache/2.2.3 (Debian) PHP/5.2.0-8
Server Built: Dec 11 2006 21:55:25
Current Time: Wednesday, 03-Jan-2007 20:06:59 EST
Restart Time: Tuesday, 02-Jan-2007 06:21:36 EST
Parent Server Generation: 0
Server uptime: 1 day 13 hours 45 minutes 23 seconds
Total accesses: 36332 - Total Traffic: 610.7 MB
CPU Usage: u37.44 s4.83 cu.01 cs0 - .0311% CPU load
.267 requests/sec - 4711 B/second - 17.2 kB/request
2 requests currently being processed, 8 idle workers
|
|
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Thu 04 Jan '07 4:04 Post subject: |
|
|
You're right - Etch has both Apache 2.2.3 (under apt group "Networking") and Apache 1.3.34 (under "World Wide Web").
The high-numbered ports look like the browser-side port number of a browser-server connection.
Maybe you're already familiar with it, but wireshark (previously ethereal) is great to capture and look at suspicious net traffic.
After you have captured some traffic, the [Right-click] [Follow TCP Stream] command is especially helpful to view web requests/responses.
-tom- |
|
Back to top |
|
WizardOfZo
Joined: 03 Jan 2007 Posts: 7
|
Posted: Fri 05 Jan '07 2:00 Post subject: |
|
|
I have wireshark installed, use to be called etherreal when I used it in the past.
I hope to catch the outgoing packet soon. There are only a few each day.
Wireshark needs a lot of tuning of the filters to avoid useless lines in the output. I also need to stop blocking outgoing packets so that they get to wireshark.
I tried lsof -i and I did not see anything strange, but I would guess that intermittent outgoing packets are hard to detect that way.
If I find the source of the problem, I will post it.
Thanks for the help |
|
Back to top |
|
WizardOfZo
Joined: 03 Jan 2007 Posts: 7
|
Posted: Fri 05 Jan '07 14:32 Post subject: |
|
|
I found some results last night. I dont understand network lingo. Does any of this look unusual?
Quote: | "No.", "Time", "Source", "Destination", "Protocol", "Info"
"1", "20:38:11.902543", "OutsideUser", " My Server", "TCP", "2612 > www [SYN] Seq=0 Len=0 MSS=1460"
"2", "20:38:11.902638", " My Server", "OutsideUser", "TCP", "www > 2612 [SYN, ACK] Seq=0 Ack=1 Win=2144 Len=0 MSS=536"
"3", "20:38:12.050091", "OutsideUser", " My Server", "TCP", "2612 > www [ACK] Seq=1 Ack=1 Win=65535 Len=0"
"4", "20:38:12.054840", "OutsideUser", " My Server", "TCP", "[TCP segment of a reassembled PDU]"
"5", "20:38:12.054916", " My Server", "OutsideUser", "TCP", "www > 2612 [ACK] Seq=1 Ack=537 Win=3216 Len=0"
"6", "20:38:12.054985", "OutsideUser", " My Server", "HTTP", "GET /plm/index.php?a=ltp HTTP/1.1"
"7", "20:38:12.055006", " My Server", "OutsideUser", "TCP", "www > 2612 [ACK] Seq=1 Ack=630 Win=3216 Len=0"
"8", "20:38:12.152807", " My Server", "OutsideUser", "TCP", "[TCP segment of a reassembled PDU]"
"9", "20:38:12.152836", " My Server", "OutsideUser", "TCP", "[TCP segment of a reassembled PDU]"
"10", "20:38:12.300270", "OutsideUser", " My Server", "TCP", "2612 > www [ACK] Seq=630 Ack=1073 Win=65535 Len=0"
"11", "20:38:12.300315", " My Server", "OutsideUser", "TCP", "[TCP segment of a reassembled PDU]"
"12", "20:38:12.300324", " My Server", "OutsideUser", "TCP", "[TCP segment of a reassembled PDU]"
"13", "20:38:12.300333", " My Server", "OutsideUser", "TCP", "[TCP segment of a reassembled PDU]"
|
To obtain this wireshark output I setup a filter to only monitor one users IP.
As far as I know, the HTTP request is the only valid request from my discussion board (ICT Gold 1.0) via port 80. The outbound port 2612 is now blocked. |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Fri 05 Jan '07 23:59 Post subject: |
|
|
Looks OK to me.
Port 2612 is the port number which the user's browser is using. It is a port on the 'OutsideUser' machine, not on your machine.
The 'www' port (i.e. port 80) is the only port number in use on your machine ('My Server').
Remember that each network connection has two ends
- for HTTP connections it is port 80 on the server end, and a (usually randomly-selected) port on the browser end.
MyServer:80 <-----> OutsideUser:NNNN
Your firewall only restricts the port numbers used on your end of the connection - not the remote user's end.
-tom- |
|
Back to top |
|
WizardOfZo
Joined: 03 Jan 2007 Posts: 7
|
Posted: Sat 06 Jan '07 0:51 Post subject: |
|
|
I may not have posted the proper lines from that report.
Here is what Firestarter showed for outbound traffic to the same user's IP
Code: | Time:Jan 4 19:49:22 Direction: Outbound In: Out:eth0 Port:1483 Source: My Server Destination:OutsideUser Length:576 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jan 4 19:53:33 Direction: Outbound In: Out:eth0 Port:1661 Source: My Server Destination:OutsideUser Length:576 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jan 4 19:57:10 Direction: Outbound In: Out:eth0 Port:1755 Source: My Server Destination:OutsideUser Length:576 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jan 4 19:57:25 Direction: Outbound In: Out:eth0 Port:1704 Source: My Server Destination:OutsideUser Length:576 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jan 4 20:00:55 Direction: Outbound In: Out:eth0 Port:2236 Source: My Server Destination:OutsideUser Length:576 TOS:0x00 Protocol:TCP Service:Unknown
|
|
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Sat 06 Jan '07 17:03 Post subject: |
|
|
Can't really tell much from this.
One idea - do you have an FTP server?
When an FTP server transfers files in 'active' mode it creates outbound connections like this.
Most browsers use 'passive' mode, but many command-line ftp clients use active mode.
-tom- |
|
Back to top |
|
WizardOfZo
Joined: 03 Jan 2007 Posts: 7
|
Posted: Sat 06 Jan '07 22:31 Post subject: |
|
|
No FTP (That I know about), I try to keep a tight ship here. I only use ssh on a special port for remote access. Mysql is only on localhost. The only thing allowed in through the firewall is HTTP on port 80 Outbound is restricted to HTTP, DHCP, SMTP and NTP.
My concern is that the discussion board I am using ICT Gold 1.0) has some undocumented odd use of ports, or something else got in from a transfered web page. Some of my 4 virtual websites have been online for 10 years under various servers. (I hate all the crap Front Page polluted all my directories with)
For the moment, the outgoing hits have been quiet, If they start up again, I will fire up wireshark to meet them.
Thanks for helping out.
This discussion board is a great find for me. |
|
Back to top |
|
WizardOfZo
Joined: 03 Jan 2007 Posts: 7
|
Posted: Wed 10 Jan '07 3:56 Post subject: |
|
|
The unknown TCP outputs had subsided for a while, but they are back again.
To catch the output packets with Wireshark, I need to have the firewall (Firestarter) allow unrestrictive output. I don't like to leave it that way for any length of time.
Is there a way to have Wireshark do packet analysis before it gets blocked by Firestarter, Or is there a way to have Wireshark block the suspect outgoing data packets? |
|
Back to top |
|
|
|
|
|
|