主页 / server / 问题

问题[netstat](server)

Martin Hope
Huynh Vinh Phat
Asked: 2021-11-08 20:28:21 +0800 CST
  • 0

我安装了 VestaCP 并将他们的邮件服务器用于我的域邮件。但是当我在我的服务器上运行 netstat 时,它显示了一些奇怪的连接。到目前为止,我的邮件服务器没有问题,我只是担心这些连接。

我的服务器是否遇到任何安全问题?

# netstat -antp

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      5033/exim
tcp        0      0 0.0.0.0:2525            0.0.0.0:*               LISTEN      5033/exim
tcp        0     35 my.server.ip.address:25        87.246.7.228:63258      ESTABLISHED 13152/exim
tcp        0     35 my.server.ip.address:25        212.70.149.88:38064     ESTABLISHED 13518/exim
tcp        0      0 my.server.ip.address:25        212.70.149.88:20194     ESTABLISHED 13519/exim
email-server exim netstat vestacp
Martin Hope
Ken Tsoi
Asked: 2021-07-29 06:18:03 +0800 CST
  • 2

我的系统是带有 WSL2 的 Win10,我运行了一个 dockergogs容器(来自 WSL 中的 ubuntu):

    83b2a8833235   gogs/gogs                    "/app/gogs/docker/st…"   17 minutes ago   Up 17 minutes   0.0.0.0:10022->22/tcp, :::10022->22/tcp, 0.0.0.0:10080->3000/tcp, :::10080->3000/tcp       gogs

我发现我可以cURL它,但不能使用浏览器访问它:

    >curl -vvv http://localhost:10080
    * Rebuilt URL to: http://localhost:10080/
    *   Trying ::1...
    * TCP_NODELAY set
    * Connected to localhost (::1) port 10080 (#0)
    > GET / HTTP/1.1
    > Host: localhost:10080
    > User-Agent: curl/7.55.1
    > Accept: */*
    >
    < HTTP/1.1 302 Found
    < Content-Type: text/html; charset=utf-8
    < Location: /install
    < Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
    < Set-Cookie: i_like_gogs=64602dcbf733a9e0; Path=/; HttpOnly
    < Set-Cookie: _csrf=CEoPJD9KItxBKOThbeQExNAjnDo6MTYyNzQ4MDI3Njg1MDY2NTEwMA; Path=/; Domain=localhost; Expires=Thu, 29 Jul 2021 13:51:16 GMT; HttpOnly
    < X-Content-Type-Options: nosniff
    < X-Frame-Options: DENY
    < Date: Wed, 28 Jul 2021 13:51:16 GMT
    < Content-Length: 31
    <
    <a href="/install">Found</a>.
    
    * Connection #0 to host localhost left intact

使用netstat -a -o我可以在 Active Connections 中看到地址:

TCP    0.0.0.0:10080          xxxxxxx:0          LISTENING       13152

但我无法使用浏览器访问: 无法使用浏览器访问

有人有任何提示吗?

netstat curl windows-10 windows-subsystem-for-linux
Martin Hope
m0ss
Asked: 2020-09-08 03:28:59 +0800 CST
  • 0

我的 cmd 屏幕

如何使用 netsat 在我的电脑上查看所有端口及其状态?(所有 2^16 个端口)以及如何列出在我的计算机传输层中具有开放端口的应用程序以及应用程序名称及其端口?对于第二个问题,我得到了这个但不确定它是否属实?因为我希望所有 IP 地址都是 0.0.0.0,因为我的电脑只关心它的端口,我不明白其他 IP 是什么。谢谢。

networking netstat
Martin Hope
King David
Asked: 2020-07-22 22:05:34 +0800 CST
  • 0

我们有 redhat 7.5 服务器

我们怀疑端口 50070 没有被服务正确关闭,(我们通过 netstat 和 PID 未找到)但是从日志中我们可以看到端口正在使用中

因此我们尝试执行以下操作,例如

ss --kill state listening src :50070
ss: unrecognized option '--kill'
Usage: ss [ OPTIONS ]
       ss [ OPTIONS ] [ FILTER ]
   -h, --help          this message
   -V, --version       output version information
   -n, --numeric       don't resolve service names
   -r, --resolve       resolve host names
   -a, --all           display all sockets
   -l, --listening     display listening sockets
   -o, --options       show timer information
   -e, --extended      show detailed socket information
   -m, --memory        show socket memory usage
   -p, --processes     show process using socket
   -i, --info          show internal TCP information
   -s, --summary       show socket usage summary
   -b, --bpf           show bpf filter socket information
   -Z, --context       display process SELinux security contexts
   -z, --contexts      display process and socket SELinux security contexts
   -N, --net           switch to the specified network namespace name

   -4, --ipv4          display only IP version 4 sockets
   -6, --ipv6          display only IP version 6 sockets
   -0, --packet        display PACKET sockets
   -t, --tcp           display only TCP sockets
   -u, --udp           display only UDP sockets
   -d, --dccp          display only DCCP sockets
   -w, --raw           display only RAW sockets
   -x, --unix          display only Unix domain sockets
   -f, --family=FAMILY display sockets of type FAMILY

   -A, --query=QUERY, --socket=QUERY
       QUERY := {all|inet|tcp|udp|raw|unix|unix_dgram|unix_stream|unix_seqpacket|packet|netlink}[,QUERY]

但 ss 不包括杀戮标志

什么是正确关闭端口或释放 rhel 机器上的端口的选项?

日志是:

2020-07-18 21:26:22,753 INFO  impl.MetricsSystemImpl (MetricsSystemImpl.java:shutdown(606)) - NameNode metrics system shutdown complete.
2020-07-18 21:26:22,753 ERROR namenode.NameNode (NameNode.java:main(1783)) - Failed to start namenode.
java.net.BindException: Port in use: linux.gg.com:50070
        at org.apache.hadoop.http.HttpServer2.constructBindException(HttpServer2.java:1001)
        at org.apache.hadoop.http.HttpServer2.bindForSinglePort(HttpServer2.java:1023)
        at org.apache.hadoop.http.HttpServer2.openListeners(HttpServer2.java:1080)
        at org.apache.hadoop.http.HttpServer2.start(HttpServer2.java:937)
        at org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer.start(NameNodeHttpServer.java:170)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.startHttpServer(NameNode.java:942)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:755)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:1001)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:985)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1710)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1778)
Caused by: java.net.BindException: Address already in use
        at sun.nio.ch.Net.bind0(Native Method)
        at sun.nio.ch.Net.bind(Net.java:433)
        at sun.nio.ch.Net.bind(Net.java:425)
        at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
        at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
        at org.mortbay.jetty.nio.SelectChannelConnector.open(SelectChannelConnector.java:216)
        at org.apache.hadoop.http.HttpServer2.bindListener(HttpServer2.java:988)
        at org.apache.hadoop.http.HttpServer2.bindForSinglePort(HttpServer2.java:1019)
        ... 9 more
2020-07-18 21:26:22,755 INFO  util.ExitUtil (ExitUtil.java:terminate(124)) - Exiting with status 1
2020-07-18 21:26:22,757 INFO  namenode.NameNode (LogAdapter.java:info(47)) - SHUTDOWN_MSG:
/************************************************************
SHUTDOWN_MSG: Shutting down NameNode at 
************************************************************/
[root@linux hdfs]#
[root@linux hdfs]#
[root@linux hdfs]# netstat -tulpn | grep 50070 ( no PID number is returned )
redhat networking port netstat socket
Martin Hope
SimonLi
Asked: 2020-07-03 02:19:55 +0800 CST
  • 1

试图运行 samba AD DC 但我被卡住了。创建域配置后,我定义了 resolv.conf:

cat /etc/resolv.conf
nameserver 10.99.0.30
search example.com

服务运行:

samba-ad-dc.service - Samba Active Directory Domain Controller
   Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled)
   Active: active (running)

DNS记录的查询似乎很好:

$ host -t SRV _ldap._tcp.example.com.
_ldap._tcp.random.example.com has SRV record 0 100 389 random.example.com.

$ host -t SRV _kerberos._udp.example.com.
_kerberos._udp.random.example.com has SRV record 0 100 88 random.example.com.

$ host -t A random.example.com.
dc1.random.example.com has address 10.99.0.30

当我做netstat时:

netstat -tulpn | grep ":53"
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      34599/samba: task[d
tcp6       0      0 :::53                   :::*                    LISTEN      34599/samba: task[d
udp        0      0 0.0.0.0:53              0.0.0.0:*                           34599/samba: task[d
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           745/avahi-daemon: r
udp6       0      0 :::53                   :::*                                34599/samba: task[d
udp6       0      0 :::5353                 :::*                                745/avahi-daemon: r

应该是 netstat 中 DNS(local) 10.99.0.30 的确切 IP 地址中的本地地址,例如 10.99.0.30:53 吗?

当我尝试从 WINDOWS 主机加入 AD 时,我得到了:

- The query was for the SRV record for _ldap._tcp.dc._msdcs.example.com
- The following domain controllers were identified by the query:
  (no Active Directory Domain Controllers found)
- Host (A) or (AAAA) records that map the names of the domain controllers to 
  their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.

我什至无法通过 ping 解析 example.com。

domain-name-system samba netstat samba4
Martin Hope
morleyc
Asked: 2020-05-23 09:15:35 +0800 CST
  • 0

我有一个使用代理服务(WAF 等)的服务器,它将数据包转发到我的服务器。

我可以从所有代理中看到已建立netstat -an的 SSL 连接,其余的则卡在 SYN_RECV 中:

tcp        0      0 192.168.102.11:443      185.93.230.20:64966     SYN_RECV
tcp        0      0 192.168.102.11:443      192.88.135.20:8306      SYN_RECV
tcp        0      0 192.168.102.11:443      66.248.202.20:10750     SYN_RECV
tcp        0      0 192.168.102.11:443      185.93.230.20:2213      SYN_RECV
tcp        0      0 192.168.102.11:443      66.248.202.20:7494      SYN_RECV
tcp        0      0 192.168.102.11:443      185.93.231.20:32752     ESTABLISHED
tcp        0      0 192.168.102.11:443      185.93.231.20:31910     ESTABLISHED

我可以看到流量tcpdump port 443 and '(tcp-syn|tcp-ack)!=0' -nn

为了185.93.231.20.2139

20:36:35.263777 IP 192.168.102.11.443 > 185.93.231.20.2139: Flags [FP.], seq 203642186:203642217, ack 1968471817, win 258, options [nop,nop,TS val 32827456 ecr 876705214], length 31
20:36:36.901357 IP 192.168.102.11.443 > 185.93.231.20.2137: Flags [P.], seq 418165034:418165065, ack 2875697257, win 258, options [nop,nop,TS val 32829093 ecr 876704135], length 31

为了185.93.230.20

20:36:49.098560 IP 185.93.230.20.20721 > 192.168.102.11.443: Flags [S], seq 2855805773, win 29200, options [mss 1460,sackOK,TS val 882921029 ecr 0,nop,wscale 9], length 0
20:36:49.098638 IP 192.168.102.11.443 > 185.93.230.20.20721: Flags [S.], seq 268496949, ack 2855805774, win 28960, options [mss 1460,sackOK,TS val 32841290 ecr 882921029,nop,wscale 7], length 0

对于66.248.202.20

20:37:02.042048 IP 66.248.202.20.49557 > 192.168.102.11.443: Flags [S], seq 3837436386, win 29200, options [mss 1460,sackOK,TS val 791596242 ecr 0,nop,wscale 9], length 0
20:37:02.042116 IP 192.168.102.11.443 > 66.248.202.20.49557: Flags [S.], seq 2339555392, ack 3837436387, win 28960, options [mss 1460,sackOK,TS val 32854234 ecr 791596242,nop,wscale 7], length 0

对于192.88.135.20

20:36:39.595087 IP 185.93.228.20.23354 > 192.168.102.11.443: Flags [S], seq 1334433323, win 29200, options [mss 1460,sackOK,TS val 274977072 ecr 0,nop,wscale 9], length 0
20:36:39.595120 IP 192.168.102.11.443 > 185.93.228.20.23354: Flags [S.], seq 1203016390, ack 1334433324, win 28960, options [mss 1460,sackOK,TS val 32831787 ecr 274970056,nop,wscale 7], length

但只有来自185.93.231.20的流量才会登录到 domlogs:

185.93.231.20 - - [22/May/2020:19:55:37 +0400] "GET /blog/video-gallery/ HTTP/1.1" 200 12716 "https://www.example.com/blog/publications/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 747893
185.93.231.20 - - [22/May/2020:19:55:39 +0400] "GET /wp-content/uploads/2020/02/Thumbnail72.jpg HTTP/1.1" 200 181941 "https://www.example.com/blog/video-gallery/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 1283052
185.93.231.20 - - [22/May/2020:19:55:39 +0400] "GET /wp-content/uploads/2020/02/Thumbnail68.jpg HTTP/1.1" 200 180934 "https://www.example.com/blog/video-gallery/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 952373

关于下一步检查什么的任何想法?我已禁用所有防火墙规则并确保 NAT 在 WAN 和主机(入站和出站)之间正常工作 - 没有发生任何配置更改,这只是停止工作。

tcpdump netstat apache2 linux-networking
Martin Hope
Kalib Zen
Asked: 2020-05-20 12:38:49 +0800 CST
  • 3

当我的服务器速度很慢时,我被告知运行此命令并检查是否有人发出 SYN_RECV 请求以减慢我的服务器速度:

netstat -npt  | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head | tee -a $REPORT_FILE

输出示例:

Single attack IP - DOS:
  262 187.7.214.146
  1   95.90.250.96
  1   83.215.15.150
  1   203.160.112.239
  1   124.197.39.213

Multiple attack IPs - DDOS:  
  316 187.7.214.146
  94  187.7.214.96
  44  187.7.214.150
  90  203.160.112.239
  22  203.160.112.222

我在某处读到,如果一个IP的SYN_RECV请求数超过4个,则考虑进行SYN洪水攻击(DOS)。我有几个问题:

1) 当使用这个 netstat 命令时,我们可以声明一个 IP(DOS) 或 IPs (DDOS) 进行攻击的确切数字是多少?如果 IP 是 SYN_RECV 状态的连接,这是否意味着他正在进行 SYN 洪水攻击?可以是假旗吗?

2) SYN_RECV 是 DDOS 攻击者使用的唯一监听状态吗?那么 ESTABLISHED 状态呢?我很困惑,因为其他文章说如果某些外国IP以ESTABLISHED状态连接,那么我的服务器正在受到攻击。什么样的攻击

3) 我问这个问题是因为我想制作一个简单的 bash 脚本,它可以手动报告 IP 是否是攻击者,并且我被告知使用 SYN_RECV 状态来评估攻击者。这是我们唯一可以使用的状态吗?可以认为是安全的 SYN_RECV 值的最小值是多少(不是 DOS 攻击者)?

希望我的问题很清楚。请问我是否有不清楚的地方。

谢谢你,我希望有人能回答这个噩梦。

centos ddos netstat syn
Martin Hope
Kalib Zen
Asked: 2020-05-18 00:12:44 +0800 CST
  • 0

当我在终端中运行此命令时:

netstat -an | egrep ":80|:443" | sort

我得到以下输出:

tcp        0      0 172.104.10.125:48310    172.104.10.125:8081     TIME_WAIT  
tcp        0      0 172.104.10.125:48316    172.104.10.125:8081     TIME_WAIT    
tcp        0      0 172.104.10.125:48428    172.104.10.125:8081     ESTABLISHED
tcp        0      0 172.104.10.125:80       0.0.0.0               LISTEN     
tcp        0      0 172.104.10.125:80       5.111.110.185:23784     SYN_RECV   
tcp        0      0 172.104.10.125:80       89.109.64.166:42690     TIME_WAIT  
tcp6       0      0 ::1:443                 ::                    LISTEN     
tcp        0      0 172.104.10.125:443      60.51.33.253:65270      ESTABLISHED
tcp        0      0 172.104.10.125:443      66.249.79.94:49202      ESTABLISHED
tcp6       0      0 172.104.10.125:8080     172.104.10.125:39668    TIME_WAIT

172.104.10.125 是我的 IP 地址,如何排除上述第 5 列有 '172.104.10.125'、'0.0.0.0' 和 '::' 的结果?因为那些是受信任的本地主机 IP 和协议。

如果我使用这个: 

egrep -v "172.104.10.125|::|0.0.0.0"

它将排除不在第 5 列的所有内容

centos grep netstat
Martin Hope
andreszs
Asked: 2017-03-10 07:53:50 +0800 CST
  • 1

我的服务器被淹没,直到 apache 变得无响应,我需要一些帮助来查找和阻止负责的 IP 地址

通常,我的连接数不超过 150 个。现在我有成千上万:

netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
      1 established)
      1 Foreign
     13 LAST_ACK
     20 CLOSING
     30 SYN_RECV
     41 LISTEN
     44 FIN_WAIT1
     74 FIN_WAIT2
     77 CLOSE_WAIT
    273 ESTABLISHED
   1960 TIME_WAIT

MRTG 图表清楚地显示了攻击开始之前的正常连接: MRTG

这是计算每个 IP 的连接数的结果(仅限列表末尾):

netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
  5 4.59.90.216
  5 4.59.90.222
  5 4.59.90.237
  5 4.59.90.242
  5 74.125.26.95
  6 186.158.143.202
  6 216.58.219.162
  6 4.59.90.251
  7 104.24.5.60
  7 216.58.192.66
  7 4.59.90.212
  7 4.59.90.231
  7 4.59.90.241
  9 216.58.192.98
 10 189.177.214.89
 10 23.10.101.162
 11 4.59.90.226
 12 85.94.197.200
 25 216.58.219.66
 31 216.58.219.130
 40 0.0.0.0
 86 83.101.136.42
1026 10.0.0.2

最后一个是服务器的IP,我不知道为什么会显示。谢谢。

centos ddos netstat
Martin Hope
user3186337
Asked: 2017-02-24 00:29:33 +0800 CST
  • 1

我的 netstat 显示超过 2,000 个 mysql 连接,其 TIME_WAIT 状态似乎被卡住并且不会消失。几个小时以来都是这样,许多连接来自一个对我的数据库服务器没有权限的 IP 地址。好像挂了,怎么清除?这是蛮力攻击吗?我所有的用户权限都有特定的主机,我不使用任何通配符。

这是netstat的片段:

tcp        0      0 server:mysql       static.98.17.76.1:45222 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:34341 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:51888 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:54459 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:49599 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:50751 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:50731 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:54658 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:58974 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:33800 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:59840 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:53495 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:51561 TIME_WAIT

另外,我在 mysql 中的 PROCESSLIST 没有显示这些连接,所以我认为它们会立即被删除,但不确定为什么它们不会消失。这会导致 mysql 的最大连接数出现任何问题吗?

mysql tcp brute-force-attacks netstat