Is it normal to have many connections from the own server ip when I ran netstat command

netstat

I would like to know if is it normal to have many connections from my own server ip when I ran:

netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

The command explanation can be found here: http://www.mkyong.com/linux/list-all-ip-addresses-connected-to-your-server/ (I posted the link where I found the command after googling a while before I asked in here, and there are lots of explanation on that blog of what the command actually does. But somehow, I am lack of experience and need more info regarding this question. I kindly ask for your help and patience with me).

I got this:

223 MY OWN SERVER IP
  6 36.83.145.0
  6 141.0.11.183
  6 118.96.107.46
  5 114.121.128.224
  4 139.194.112.178
  4 125.162.210.152
  3 114.121.130.92
  2 82.145.211.30
  1 95.128.246.45

I thank you for your time to look and responses. Please, if you do not want to help me, kindly ignore this question, that would be more meaningful to me than giving unhelpful comments then making your own assumption, because it will lead to "mind-building" where other might think that I don't understand at all or have not googling around. Thanks a lot for your kindness!

Best Answer

As already stated by Tero Kilkanen in its comment: "...It completely depends on the applications you are running on your server...".

Based on your very question, I assume that it's not easy, for you, to get an overall figure of your system so to decide if your 223 connections are "normal" or not.

In order to help you in deciding this, you need to understand exactly what such 223 (I mean the number; the very number you're basing your whole question) is telling.

What you've executed (...and cut-and-pasted in your question) is a chain of 8 commands, where the output of the n-th command is given as input to the n+1th, with the only exception of the first (that gets no input from nowhere) and the last (whose output is shown to you).

Let's check those commands one by one:

  • netstat -tn 2>/dev/null: this will gets out the TCP connections currently registered within your system. Please note that:
    • every TCP connection will be matched, regardless of the state. This means that the output will contain, as an example, ESTABLISHED connection (hence, real, active, connections) as well as TIME_WAIT ones. In other words: not only real, established, connection will be shown. Discussing this in detail goes far beyond the scope of this answer. Please, document yourself at a reasonable minimum, before asking for details;

  • grep :80: this will parse every single line coming from the previous output and filter only rows containing the text ":80". What normally this means is that only connection related to HTTP are selected. Please note that:

    • with such a "grep", no distinction is made regarding the TCP source or destination port. This means that lines filtered will be related to both incoming TCP/80 connections (the ones generally managed by your local web-server) and outgoing TCP/80 connections (the ones where your system is a HTTP client, for example when upgrading some packages/OS or when accessing some on-line services, RSS feeds, etc.);

  • awk '{print $5}': based on the lines filtered above, this will select the fifth column. Such column contain the DESTINATION IP address as well as the DESTINATION TCP port, in form like 1.2.3.4:5678. Please note that based on what stated above, destination TCP port will not necessarily be 80;

  • cut -d: -f1: this will split the above couple (:) and will extract the first part (the IP address);

  • sort: this will gets the output from the above command and produce a lexicographically ordered output;

  • uniq -c: this will group the incoming lines (that are ordered) and count the number of occurences of each group, prepending such number (the count) to the value of each group;

  • sort -nr: this will numerically order the values, based on the number that is supposed to be in the very beginning of each lines. Also the order is reversed (so from the highest, to the lowest);

  • head: this will show (in output) only the first 10 rows of the input.

With all the above, it should be clear that: "when you launched above commands, in your TCP/stacks there were 223 sockets, in various states, including ESTABLISHED state, referring to both incoming and outgoing TCP connections with source port 80 or destination port 80."

Whether this is normal or not.... "...completely depends on the applications you are running on your server...".

As a final notes:

  • please note that given the current trend regarding AJAX/asynchronous HTTP requests, it's perfectly common, for a single web page, to open --and keep opened-- several concurrent TCP/connections to the same target IP;

  • a single outgoing (or incoming) DOS attack can produce a very high number of IP (including TCP or UDP) sockets.

P.S.: in one of your comment you wrote: "Let me know if I am asking this answer in the wrong place then fine, I am sorry". I really think that the place is right. But, as well, I think that you're mastering TCP/IP stack and general network and system administration at such a level that... I'm probably wasting my time writing this very answer :-)

Hope you'll appreciate this (...and start spending more time studying than asking this kind of questions on ServerFault)

Related Topic