460 Attacks from 127.0.0.1

Support for security such as Firewalls and securing linux
hafied1
Posts: 11
Joined: 2015/11/22 15:35:46

Re: 460 Attacks from 127.0.0.1

Post by hafied1 » 2015/11/22 22:00:47

jyoung wrote:That's not my point. You're running nginx, php-fpm and memcached on your dedicated server. With the information that you've provided, the number of connections to your loopback address doesn't seem abnormal.
I will send you more details if server will be under attack tomorrow.
Thank you

hafied1
Posts: 11
Joined: 2015/11/22 15:35:46

Re: 460 Attacks from 127.0.0.1

Post by hafied1 » 2015/11/23 14:38:43

jyoung wrote:That's not my point. You're running nginx, php-fpm and memcached on your dedicated server. With the information that you've provided, the number of connections to your loopback address doesn't seem abnormal.
399 127.0.0.1
[root@ns413692 ~]# netstat -tupn | grep 127.0.0.1 | gawk '{print $NF}' | uniq -c
1 -
2 3916/varnishd
2 -
1 3916/varnishd
3 -
1 3916/varnishd
3 -
1 3916/varnishd
9 -
1 3089/memcached
1 31164/php-fpm
1 3089/memcached
1 31150/nginx
1 3916/varnishd
4 -
1 3089/memcached
1 31150/nginx
3 -
2 31150/nginx
1 3916/varnishd
1 31120/php-fpm
1 -
1 3089/memcached
1 31150/nginx
5 -
1 31150/nginx
2 -
1 3916/varnishd
1 -
1 3089/memcached
1 -
1 3916/varnishd
1 3089/memcached
1 -
1 31150/nginx
1 31151/php-fpm
1 -
1 3089/memcached
1 3916/varnishd
2 -
1 31165/php-fpm
1 -
1 31150/nginx
2 -
1 3089/memcached
1 31150/nginx
1 31160/php-fpm
3 -
1 31150/nginx
1 3089/memcached
5 -
1 3089/memcached
1 31122/php-fpm
1 -
1 3089/memcached
1 31150/nginx
4 -
1 31150/nginx
1 3916/varnishd
1 31150/nginx
5 -
1 31150/nginx
2 -
1 3089/memcached
1 -
1 3089/memcached
1 -
1 31150/nginx
1 -
1 3089/memcached
1 3916/varnishd
1 -
1 31150/nginx
1 -
1 31117/php-fpm
2 -
1 31150/nginx
1 31157/php-fpm
1 -
1 3916/varnishd
1 -
1 3089/memcached
1 31150/nginx
2 -
1 31150/nginx
2 -
2 3089/memcached
1 -
1 31110/php-fpm
1 -
1 31198/php-fpm
6 -
1 31159/php-fpm
2 -
2 3916/varnishd
1 31161/php-fpm
4 -
1 31181/php-fpm
3 -
1 31170/php-fpm
1 -
1 31182/php-fpm
1 3089/memcached
1 -
1 31155/php-fpm
1 3089/memcached
1 -
1 3916/varnishd
1 31152/php-fpm
1 31150/nginx
1 -
1 3089/memcached
1 -
1 3089/memcached
3 31150/nginx
5 -
1 3089/memcached
1 31150/nginx
1 31184/php-fpm
1 31169/php-fpm
1 3089/memcached
1 -
1 3916/varnishd
1 31150/nginx
3 -
1 31150/nginx
3 -
1 31121/php-fpm
1 3089/memcached
3 -
1 31156/php-fpm
2 -
1 3089/memcached
1 -
1 3089/memcached
3 -
2 3089/memcached
1 31163/php-fpm
1 -
2 3916/varnishd
1 -
1 3089/memcached
1 31123/php-fpm
1 31116/php-fpm
1 3089/memcached
1 -
1 31118/php-fpm
4 -
1 3089/memcached
1 -
1 3089/memcached
1 -
1 3089/memcached
1 -
1 3916/varnishd
1 -
2 31150/nginx
1 3916/varnishd
1 -
1 31150/nginx
1 -
1 31180/php-fpm
1 3089/memcached
1 -
1 3916/varnishd
7 -
1 3089/memcached
2 -
1 31150/nginx
3 -
1 31112/php-fpm
2 -
1 3916/varnishd
4 -
1 31193/php-fpm
5 -
1 31113/php-fpm
1 3916/varnishd
2 -
1 31171/php-fpm
1 -
1 31153/php-fpm
1 -
2 3089/memcached
2 -
1 31119/php-fpm
2 3916/varnishd
1 -
1 31168/php-fpm
1 31150/nginx
1 3089/memcached
1 -
2 3916/varnishd
1 -
1 31172/php-fpm
6 -
1 3916/varnishd
1 -
1 31183/php-fpm
1 3916/varnishd
1 31158/php-fpm
1 3089/memcached
3 3916/varnishd
1 -
1 3916/varnishd
1 -
2 31150/nginx
1 -
1 31150/nginx
4 -
1 3089/memcached
2 -
1 3916/varnishd
1 31150/nginx
1 31167/php-fpm
1 31150/nginx
1 31196/php-fpm
2 3089/memcached
1 -
1 3916/varnishd
1 -
1 3089/memcached
1 -
1 3089/memcached
1 3916/varnishd
2 -
1 3089/memcached
7 -
1 31150/nginx
1 31179/php-fpm
1 31194/php-fpm
2 -
1 31115/php-fpm
2 -
1 31150/nginx
1 -
1 3916/varnishd
1 31124/php-fpm
5 -
1 3089/memcached
1 31162/php-fpm
2 -
1 31150/nginx
1 -
1 3916/varnishd
2 -
1 3916/varnishd
1 31150/nginx
2 -
1 3916/varnishd
1 31166/php-fpm
1 3916/varnishd
1 31192/php-fpm
1 3089/memcached
1 31191/php-fpm
1 -
1 31111/php-fpm
2 31150/nginx
1 -

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: 460 Attacks from 127.0.0.1

Post by TrevorH » 2015/11/23 17:03:59

Those are just ports in use on your local system. Why do you think that they are a problem? What are you really trying to fix?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

hafied1
Posts: 11
Joined: 2015/11/22 15:35:46

Re: 460 Attacks from 127.0.0.1

Post by hafied1 » 2015/11/23 23:09:46

TrevorH wrote:Those are just ports in use on your local system. Why do you think that they are a problem? What are you really trying to fix?
Everyday I have a same issue the server runs without any problem but two or three times per day the server slows down or don't work totally. when I check connections, I find more than 400 connections from 127.0.0.1. after 15 minutes the number of connection from 127.0.0.1 does down to about 100 or less and server works again without any problem.
thank you

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: 460 Attacks from 127.0.0.1

Post by TrevorH » 2015/11/24 09:09:54

I think you are trying to solve the wrong problem. Most likely the connections to 127.0.0.1 are really from your nginx to your php-fpm process and the real problem is that something is hitting your nginx server hard.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply