460 Attacks from 127.0.0.1

Support for security such as Firewalls and securing linux
hafied1
Posts: 11
Joined: 2015/11/22 15:35:46

Re: 460 Attacks from 127.0.0.1

Postby hafied1 » 2015/11/22 22:00:47

jyoung wrote:That's not my point. You're running nginx, php-fpm and memcached on your dedicated server. With the information that you've provided, the number of connections to your loopback address doesn't seem abnormal.

I will send you more details if server will be under attack tomorrow.
Thank you

hafied1
Posts: 11
Joined: 2015/11/22 15:35:46

Re: 460 Attacks from 127.0.0.1

Postby hafied1 » 2015/11/23 14:38:43

jyoung wrote:That's not my point. You're running nginx, php-fpm and memcached on your dedicated server. With the information that you've provided, the number of connections to your loopback address doesn't seem abnormal.


399 127.0.0.1
[root@ns413692 ~]# netstat -tupn | grep 127.0.0.1 | gawk '{print $NF}' | uniq -c
1 -
2 3916/varnishd
2 -
1 3916/varnishd
3 -
1 3916/varnishd
3 -
1 3916/varnishd
9 -
1 3089/memcached
1 31164/php-fpm
1 3089/memcached
1 31150/nginx
1 3916/varnishd
4 -
1 3089/memcached
1 31150/nginx
3 -
2 31150/nginx
1 3916/varnishd
1 31120/php-fpm
1 -
1 3089/memcached
1 31150/nginx
5 -
1 31150/nginx
2 -
1 3916/varnishd
1 -
1 3089/memcached
1 -
1 3916/varnishd
1 3089/memcached
1 -
1 31150/nginx
1 31151/php-fpm
1 -
1 3089/memcached
1 3916/varnishd
2 -
1 31165/php-fpm
1 -
1 31150/nginx
2 -
1 3089/memcached
1 31150/nginx
1 31160/php-fpm
3 -
1 31150/nginx
1 3089/memcached
5 -
1 3089/memcached
1 31122/php-fpm
1 -
1 3089/memcached
1 31150/nginx
4 -
1 31150/nginx
1 3916/varnishd
1 31150/nginx
5 -
1 31150/nginx
2 -
1 3089/memcached
1 -
1 3089/memcached
1 -
1 31150/nginx
1 -
1 3089/memcached
1 3916/varnishd
1 -
1 31150/nginx
1 -
1 31117/php-fpm
2 -
1 31150/nginx
1 31157/php-fpm
1 -
1 3916/varnishd
1 -
1 3089/memcached
1 31150/nginx
2 -
1 31150/nginx
2 -
2 3089/memcached
1 -
1 31110/php-fpm
1 -
1 31198/php-fpm
6 -
1 31159/php-fpm
2 -
2 3916/varnishd
1 31161/php-fpm
4 -
1 31181/php-fpm
3 -
1 31170/php-fpm
1 -
1 31182/php-fpm
1 3089/memcached
1 -
1 31155/php-fpm
1 3089/memcached
1 -
1 3916/varnishd
1 31152/php-fpm
1 31150/nginx
1 -
1 3089/memcached
1 -
1 3089/memcached
3 31150/nginx
5 -
1 3089/memcached
1 31150/nginx
1 31184/php-fpm
1 31169/php-fpm
1 3089/memcached
1 -
1 3916/varnishd
1 31150/nginx
3 -
1 31150/nginx
3 -
1 31121/php-fpm
1 3089/memcached
3 -
1 31156/php-fpm
2 -
1 3089/memcached
1 -
1 3089/memcached
3 -
2 3089/memcached
1 31163/php-fpm
1 -
2 3916/varnishd
1 -
1 3089/memcached
1 31123/php-fpm
1 31116/php-fpm
1 3089/memcached
1 -
1 31118/php-fpm
4 -
1 3089/memcached
1 -
1 3089/memcached
1 -
1 3089/memcached
1 -
1 3916/varnishd
1 -
2 31150/nginx
1 3916/varnishd
1 -
1 31150/nginx
1 -
1 31180/php-fpm
1 3089/memcached
1 -
1 3916/varnishd
7 -
1 3089/memcached
2 -
1 31150/nginx
3 -
1 31112/php-fpm
2 -
1 3916/varnishd
4 -
1 31193/php-fpm
5 -
1 31113/php-fpm
1 3916/varnishd
2 -
1 31171/php-fpm
1 -
1 31153/php-fpm
1 -
2 3089/memcached
2 -
1 31119/php-fpm
2 3916/varnishd
1 -
1 31168/php-fpm
1 31150/nginx
1 3089/memcached
1 -
2 3916/varnishd
1 -
1 31172/php-fpm
6 -
1 3916/varnishd
1 -
1 31183/php-fpm
1 3916/varnishd
1 31158/php-fpm
1 3089/memcached
3 3916/varnishd
1 -
1 3916/varnishd
1 -
2 31150/nginx
1 -
1 31150/nginx
4 -
1 3089/memcached
2 -
1 3916/varnishd
1 31150/nginx
1 31167/php-fpm
1 31150/nginx
1 31196/php-fpm
2 3089/memcached
1 -
1 3916/varnishd
1 -
1 3089/memcached
1 -
1 3089/memcached
1 3916/varnishd
2 -
1 3089/memcached
7 -
1 31150/nginx
1 31179/php-fpm
1 31194/php-fpm
2 -
1 31115/php-fpm
2 -
1 31150/nginx
1 -
1 3916/varnishd
1 31124/php-fpm
5 -
1 3089/memcached
1 31162/php-fpm
2 -
1 31150/nginx
1 -
1 3916/varnishd
2 -
1 3916/varnishd
1 31150/nginx
2 -
1 3916/varnishd
1 31166/php-fpm
1 3916/varnishd
1 31192/php-fpm
1 3089/memcached
1 31191/php-fpm
1 -
1 31111/php-fpm
2 31150/nginx
1 -

User avatar
TrevorH
Forum Moderator
Posts: 21002
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: 460 Attacks from 127.0.0.1

Postby TrevorH » 2015/11/23 17:03:59

Those are just ports in use on your local system. Why do you think that they are a problem? What are you really trying to fix?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

hafied1
Posts: 11
Joined: 2015/11/22 15:35:46

Re: 460 Attacks from 127.0.0.1

Postby hafied1 » 2015/11/23 23:09:46

TrevorH wrote:Those are just ports in use on your local system. Why do you think that they are a problem? What are you really trying to fix?

Everyday I have a same issue the server runs without any problem but two or three times per day the server slows down or don't work totally. when I check connections, I find more than 400 connections from 127.0.0.1. after 15 minutes the number of connection from 127.0.0.1 does down to about 100 or less and server works again without any problem.
thank you

User avatar
TrevorH
Forum Moderator
Posts: 21002
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: 460 Attacks from 127.0.0.1

Postby TrevorH » 2015/11/24 09:09:54

I think you are trying to solve the wrong problem. Most likely the connections to 127.0.0.1 are really from your nginx to your php-fpm process and the real problem is that something is hitting your nginx server hard.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke