Mailinglist Archive: opensuse (4344 mails)
| < Previous | Next > |
unknown connect from my linux to my linux on port 443
- From: "Tom Henderson" <2005slm@xxxxxxx>
- Date: 2 Aug 2005 14:25:12 -0000
- Message-id: <20050802142512.18792.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Hi Everybody,
I´ve noticed some strange connections on my SuSE Linux9.0 Professional
and hope that someone can give me some advice what that is about.
In my iptables logfiles I found in regular intervals the following
entries:
Aug 2 16:14:28 localhost kernel: [FIREWALL OUTPUT-DROP] : IN= OUT=lo
SRC=111.222.333.444 DST=111.222.333.444 LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=20562 DF PROTO=TCP SPT=43084 DPT=443 WINDOW=32767 RES=0x00
SYN URGP=0 OPT (0204400C0402080A00E8DCAA0000000001030300)
where the SRC & DST IP is my public fixed internet IP Adress.
As I discovered this I set my iptables rule to DROP this kind of traffic
but there the only thing that changed was that before I dropped the
traffic I got SYN & ACK & RST Flags in the logs but after setting the
rule to DROP there are only SYN Flags left.
A "netstat -v -n -e -a -p" displays the following:
tcp 0 0 111.222.333.444:443 0.0.0.0:*
LISTEN 0 7423195 28396/httpd2-prefor
tcp 0 1 111.222.333.444:42692 111.222.333.444:443
SYN_SENT 0 8701223 28396/httpd2-prefor
And to answer the question what listens on my Port 443, it is an apache2
2.0.53 BUT what I want to know is what kind of process continues to
access my apache from the local host via the Interface " lo ".
I´ve tried to find something in my apache logfiles but there is no
entry, neither an error message nor some kind of information matching
the timestamp I find in my iptables log.
What I´ve tried is to find some kind of error message generated by some
program after I blocked the traffic but there is no one to find.
What I´ve also tried is accessing the firewall logs with "tail -f" and
in another window the apache logfile as well but there is nothing to
find.
Can someone give me a hint where to look for or what to do to get rid of
this or to get to know what kind of tool, proggie or whatever wants to
access my apache on port 443?
Kind regards
Tom.
I´ve noticed some strange connections on my SuSE Linux9.0 Professional
and hope that someone can give me some advice what that is about.
In my iptables logfiles I found in regular intervals the following
entries:
Aug 2 16:14:28 localhost kernel: [FIREWALL OUTPUT-DROP] : IN= OUT=lo
SRC=111.222.333.444 DST=111.222.333.444 LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=20562 DF PROTO=TCP SPT=43084 DPT=443 WINDOW=32767 RES=0x00
SYN URGP=0 OPT (0204400C0402080A00E8DCAA0000000001030300)
where the SRC & DST IP is my public fixed internet IP Adress.
As I discovered this I set my iptables rule to DROP this kind of traffic
but there the only thing that changed was that before I dropped the
traffic I got SYN & ACK & RST Flags in the logs but after setting the
rule to DROP there are only SYN Flags left.
A "netstat -v -n -e -a -p" displays the following:
tcp 0 0 111.222.333.444:443 0.0.0.0:*
LISTEN 0 7423195 28396/httpd2-prefor
tcp 0 1 111.222.333.444:42692 111.222.333.444:443
SYN_SENT 0 8701223 28396/httpd2-prefor
And to answer the question what listens on my Port 443, it is an apache2
2.0.53 BUT what I want to know is what kind of process continues to
access my apache from the local host via the Interface " lo ".
I´ve tried to find something in my apache logfiles but there is no
entry, neither an error message nor some kind of information matching
the timestamp I find in my iptables log.
What I´ve tried is to find some kind of error message generated by some
program after I blocked the traffic but there is no one to find.
What I´ve also tried is accessing the firewall logs with "tail -f" and
in another window the apache logfile as well but there is nothing to
find.
Can someone give me a hint where to look for or what to do to get rid of
this or to get to know what kind of tool, proggie or whatever wants to
access my apache on port 443?
Kind regards
Tom.
| < Previous | Next > |