unknown connect from my linux to my linux on port 443
Hi Everybody, I´ve noticed some strange connections on my SuSE Linux9.0 Professional and hope that someone can give me some advice what that is about. In my iptables logfiles I found in regular intervals the following entries: Aug 2 16:14:28 localhost kernel: [FIREWALL OUTPUT-DROP] : IN= OUT=lo SRC=111.222.333.444 DST=111.222.333.444 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20562 DF PROTO=TCP SPT=43084 DPT=443 WINDOW=32767 RES=0x00 SYN URGP=0 OPT (0204400C0402080A00E8DCAA0000000001030300) where the SRC & DST IP is my public fixed internet IP Adress. As I discovered this I set my iptables rule to DROP this kind of traffic but there the only thing that changed was that before I dropped the traffic I got SYN & ACK & RST Flags in the logs but after setting the rule to DROP there are only SYN Flags left. A "netstat -v -n -e -a -p" displays the following: tcp 0 0 111.222.333.444:443 0.0.0.0:* LISTEN 0 7423195 28396/httpd2-prefor tcp 0 1 111.222.333.444:42692 111.222.333.444:443 SYN_SENT 0 8701223 28396/httpd2-prefor And to answer the question what listens on my Port 443, it is an apache2 2.0.53 BUT what I want to know is what kind of process continues to access my apache from the local host via the Interface " lo ". I´ve tried to find something in my apache logfiles but there is no entry, neither an error message nor some kind of information matching the timestamp I find in my iptables log. What I´ve tried is to find some kind of error message generated by some program after I blocked the traffic but there is no one to find. What I´ve also tried is accessing the firewall logs with "tail -f" and in another window the apache logfile as well but there is nothing to find. Can someone give me a hint where to look for or what to do to get rid of this or to get to know what kind of tool, proggie or whatever wants to access my apache on port 443? Kind regards Tom.
Tom, On Tuesday 02 August 2005 07:25, Tom Henderson wrote:
Hi Everybody,
I´ve noticed some strange connections on my SuSE Linux9.0 Professional and hope that someone can give me some advice what that is about.
...
And to answer the question what listens on my Port 443, it is an apache2 2.0.53 BUT what I want to know is what kind of process continues to access my apache from the local host via the Interface " lo ".
Simple. It's HTTP over SSL. (From <http://www.iana.org/assignments/port-numbers>): # Bill Davidson <billd@equalizer.cray.com> https 443/tcp http protocol over TLS/SSL https 443/udp http protocol over TLS/SSL
...
Can someone give me a hint where to look for or what to do to get rid of this or to get to know what kind of tool, proggie or whatever wants to access my apache on port 443?
The IANA page is the first hit from <http://a9.com/TCP%20Port%20Assignments>.
Kind regards
Tom.
Randall Schulz
Hi Randall, Hi All
On Tuesday 02 August 2005 07:25, Tom Henderson wrote:
Hi Everybody,
I´ve noticed some strange connections on my SuSE Linux9.0 Professional and hope that someone can give me some advice what that is about.
...
And to answer the question what listens on my Port 443, it is an apache2 2.0.53 BUT what I want to know is what kind of process continues to access my apache from the local host via the Interface " lo ".
Simple. It's HTTP over SSL.
(From <http://www.iana.org/assignments/port-numbers>): # Bill Davidson <billd@equalizer.cray.com> https 443/tcp http protocol over TLS/SSL https 443/udp http protocol over TLS/SSL
I know what kind of service listens on Port 443, my Problem is that there is a Connection from my Linux to my Linux Port 443 ( interface "lo" but not from 127.0.0.1 to 127.0.0.1 but from 111.222.333.444 ( official external IP ) to 111.222.333.444 ALTHOUGH I´m not using any kind of software to browse my own server from my own server. Don´t know how to tell exactly in english it is not a workstation that all happens on but a server without X or something like that. I want to know wich Software initiates these Connects, cause I´m not issuing it because it also happens when nobody is logged in. It is definetely not a Konqueror Session via X or something like that ... I thougt of a service check script within webmin or something like that but although I stopped webmin these connections are still there. Any more ideas? Regards Tom
Hi Tom, try: netstat -anpvee | less you should see which program opened socket - from and to external address. Ivan -----Original Message----- From: Tom Henderson [mailto:2005slm@gmx.net] Sent: Tuesday, August 02, 2005 6:43 PM To: suse-linux-e@suse.com Subject: RE: [SLE] unknown connect from my linux to my linux on port 443 Hi Randall, Hi All
On Tuesday 02 August 2005 07:25, Tom Henderson wrote:
Hi Everybody,
I´ve noticed some strange connections on my SuSE Linux9.0 Professional and hope that someone can give me some advice what that is about.
...
And to answer the question what listens on my Port 443, it is an apache2 2.0.53 BUT what I want to know is what kind of process continues to access my apache from the local host via the Interface " lo ".
Simple. It's HTTP over SSL.
(From <http://www.iana.org/assignments/port-numbers>): # Bill Davidson <billd@equalizer.cray.com> https 443/tcp http protocol over TLS/SSL https 443/udp http protocol over TLS/SSL
I know what kind of service listens on Port 443, my Problem is that there is a Connection from my Linux to my Linux Port 443 ( interface "lo" but not from 127.0.0.1 to 127.0.0.1 but from 111.222.333.444 ( official external IP ) to 111.222.333.444 ALTHOUGH I´m not using any kind of software to browse my own server from my own server. Don´t know how to tell exactly in english it is not a workstation that all happens on but a server without X or something like that. I want to know wich Software initiates these Connects, cause I´m not issuing it because it also happens when nobody is logged in. It is definetely not a Konqueror Session via X or something like that ... I thougt of a service check script within webmin or something like that but although I stopped webmin these connections are still there. Any more ideas? Regards Tom -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com __________ Informacia od NOD32 1.1185 (20050801) __________ Tato sprava bola preverena antivirusovym systemom NOD32. http://www.eset.sk
participants (3)
-
Ivan Mojzis -
Randall R Schulz -
Tom Henderson