Linux – netstat on unix server shows strange connections

linuxnetstatunix

netstat is showing a lot of unknown connections from different strange places. are they just attempt to establish connection? or is my server compromised? I've removed my local addresses from the log below:

      STREAM     CONNECTED     8353   P8352
[root@ns512646 ~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0             s1.securityresearch.3:60000 ESTABLISHED 
tcp        0      0          hn.kd.ny.adsl:17353         ESTABLISHED 
tcp        0      0           s4.securityresearch.3:60000 ESTABLISHED 
tcp        0      0          s3.securityresearch.3:60000 ESTABLISHED 
tcp        0      0           hn.kd.ny.adsl:28534         ESTABLISHED 
tcp        0      0          s4.securityresearch.3:60000 ESTABLISHED

Best Answer

If you type netstat -na it will give you more details, you have server and you are not aware of what is connected to it.

Also, this is very basic request, referring to man netstat would have spared you to fire such request.

Related Solutions

Linux port not accessible from remote machine

My guess is it's a firewall issue. To diagnose, either switch to root or use sudo to execute these commands described below:

Firstly, service iptables status will show you your current rules. Depending on how esoteric your firewall rules are, you may need to add them into the main question to debug but essentially you're looking for a line that accepts TCP port 8800 prior to a line that rejects all connections.

e.g.

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source       destination
...
14   ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0      state NEW tcp dpt:8800
15   REJECT     all  --  0.0.0.0/0    0.0.0.0/0      reject-with icmp-host-prohibited

If you don't have a REJECT line on your input chain, then the firewall is probably already turned off.

One way to get around this is obviously to turn off the firewall (service iptables stop) although this defeats the entire purpose of having a firewall.

If you need to add a new firewall rule, you have a couple of options:

Use the excellent Firewall Configuration tool (system-config-firewall) that ships with Fedora and can be found at the System->Administration->Firewall menu item in Gnome.
On the command line, insert a new rule before the REJECT rule by executing the following (uses numbers from my example above): iptables -I INPUT 15 -m state --state NEW -m tcp -p tcp --dport 8800 -j ACCEPT. NOTE that these changes are not permanent and will not persist beyond the next reboot.
Manually edit the /etc/sysconfig/iptables file and add a rule (-A INPUT -m state --state NEW -m tcp -p tcp --dport 8800 -j ACCEPT) to the firewall prior to the REJECT rule. Cycle the firewall service to pick up the changes via a service iptables restart. These changes will be applied every time the firewall service is started.

Netstat reports PID that doesn’t exist – wtf and how to close it

Try netstat with the -b option as well as the -a and -o options to show the executables involved. That may help you track down the culprit.

Best Answer

Related Solutions

Linux port not accessible from remote machine

Netstat reports PID that doesn’t exist – wtf and how to close it

Related Topic