[squid-users] Inspite squid in front of apache : direct connection from foreign IP address ? how to deny this ?
People: in my server box , I am using squid as http accelerator ;setup is as follows Flow of requests from users should be like this squid listens on public ip port:80 --->apache(127.0.0.1:80) --- RewriteRule for apache to--->zope:8080/plonesite Important NOTE : for the last couple of days I am experiencing that my plone site on zope :8080 is become not acceesible after 5/6 hours ,after the services I restarted : when I run the command # ` sockstat -4p 80 ` here I can see a specific IP address (164.115.5.2 )connecting directly ande using python2.4 as pasted below . (My question is ,Is it normal this foreign ipaddress connectiong to my public ip and executing python.2.4 ? can I suspect this foreign Ip address as an attacker ?) many of you may be aware what is this & let me request you to share your information with me . Thanks in advance KK $ sockstat -4p 80 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd 73932 3 tcp4 127.0.0.1:80 *:* www python2.4 44496 20 tcp4 my_Serverbox_public_IPAddress :65287 164.115.5.2:80 www python2.4 44496 30 tcp4 my_Derverbox_public_IPAddress:64313 164.115.5.2:80 www httpd 849 3 tcp4 127.0.0.1:80 *:* squidsquid 603 9 tcp4 my_box_public_IPAddress:80 203.194.194.254:43451 squidsquid 603 11 tcp4 my_Serverbox_public_IPAddress:80*:* squidsquid 603 13 tcp4 127.0.0.1:55663 127.0.0.1:80 www httpd 516 3 tcp4 127.0.0.1:80 *:* www httpd 515 3 tcp4 127.0.0.1:80 *:* www httpd 514 3 tcp4 127.0.0.1:80 *:* www httpd 514 18 tcp4 127.0.0.1:80 127.0.0.1:55663 root httpd 502 3 tcp4 127.0.0.1:80 *:* $ su
Re: [squid-users] Inspite squid in front of apache : direct connection from foreign IP address ? how to deny this ?
On Mar 27, 2008, at 9:57 PM, kk CHN wrote: People: in my server box , I am using squid as http accelerator ;setup is as follows Flow of requests from users should be like this squid listens on public ip port:80 --->apache(127.0.0.1:80) --- RewriteRule for apache to--->zope:8080/plonesite Important NOTE : for the last couple of days I am experiencing that my plone site on zope :8080 is become not acceesible after 5/6 hours ,after the services I restarted : when I run the command # ` sockstat -4p 80 ` here I can see a specific IP address (164.115.5.2 )connecting directly ande using python2.4 as pasted below . Umm... Zope is a python process. Are you perchance connecting to the Zope server directly yourself? Ric
Re: [squid-users] Inspite squid in front of apache : direct connection from foreign IP address ? how to deny this ?
On 3/28/08, Ric <[EMAIL PROTECTED]> wrote: > > On Mar 27, 2008, at 9:57 PM, kk CHN wrote: > > > People: in my server box , I am using squid as http accelerator > > ;setup is as follows > > > > Flow of requests from users should be like this > > > > squid listens on public ip port:80 --->apache(127.0.0.1:80) --- > > RewriteRule for apache to--->zope:8080/plonesite > > > > > > > > Important NOTE : for the last couple of days I am experiencing > > that my plone site on zope :8080 is become not acceesible after 5/6 > > hours ,after the services I restarted : > > > > when I run the command # ` sockstat -4p 80 ` > > here I can see a specific IP address (164.115.5.2 )connecting > > directly ande using python2.4 as pasted below . > > > > Umm... Zope is a python process. Are you perchance connecting to the > Zope server directly yourself? Yes I do from my lan machine , by ssh tunnel : but thsi IP address "164.115.5.2 " noway related to ours : I know that a couple of members other than me has admin privileged accounts in the Zopeserver; but last week I changed all their account passwords to make sure only me as the admin to check how the site going down after few hours a service restart. any more info ...?
Re: [squid-users] Inspite squid in front of apache : direct connection from foreign IP address ? how to deny this ?
On Mar 27, 2008, at 11:37 PM, kk CHN wrote: On 3/28/08, Ric <[EMAIL PROTECTED]> wrote: On Mar 27, 2008, at 9:57 PM, kk CHN wrote: People: in my server box , I am using squid as http accelerator ;setup is as follows Flow of requests from users should be like this squid listens on public ip port:80 --->apache(127.0.0.1:80) --- RewriteRule for apache to--->zope:8080/plonesite Important NOTE : for the last couple of days I am experiencing that my plone site on zope :8080 is become not acceesible after 5/6 hours ,after the services I restarted : when I run the command # ` sockstat -4p 80 ` here I can see a specific IP address (164.115.5.2 )connecting directly ande using python2.4 as pasted below . Umm... Zope is a python process. Are you perchance connecting to the Zope server directly yourself? Yes I do from my lan machine , by ssh tunnel : but thsi IP address "164.115.5.2 " noway related to ours : I know that a couple of members other than me has admin privileged accounts in the Zopeserver; but last week I changed all their account passwords to make sure only me as the admin to check how the site going down after few hours a service restart. any more info ...? What then is on ports 65287 and 64313 on your server? Ric
Re: [squid-users] Inspite squid in front of apache : direct connection from foreign IP address ? how to deny this ?
On 3/28/08, Ric <[EMAIL PROTECTED]> wrote: > > On Mar 27, 2008, at 11:37 PM, kk CHN wrote: > > > On 3/28/08, Ric <[EMAIL PROTECTED]> wrote: > >> > >> On Mar 27, 2008, at 9:57 PM, kk CHN wrote: > >> > >>> People: in my server box , I am using squid as http accelerator > >>> ;setup is as follows > >>> > >>> Flow of requests from users should be like this > >>> > >>> squid listens on public ip port:80 --->apache(127.0.0.1:80) --- > >>> RewriteRule for apache to--->zope:8080/plonesite > >>> > >>> > >>> > >>> Important NOTE : for the last couple of days I am experiencing > >>> that my plone site on zope :8080 is become not acceesible after 5/6 > >>> hours ,after the services I restarted : > >>> > >>> when I run the command # ` sockstat -4p 80 ` > >>> here I can see a specific IP address (164.115.5.2 )connecting > >>> directly ande using python2.4 as pasted below . > >> > >> > >> > >> Umm... Zope is a python process. Are you perchance connecting to the > >> Zope server directly yourself? > > > > Yes I do from my lan machine , by ssh tunnel : but thsi IP address > > "164.115.5.2 " noway related to ours : > > > > I know that a couple of members other than me has admin privileged > > accounts in the Zopeserver; but last week I changed all their account > > passwords to make sure only me as the admin to check how the site > > going down after few hours a service restart. > > > > any more info ...? > > > > > What then is on ports 65287 and 64313 on your server? www python2.4 44496 20 tcp4 my_Serverbox_public_IPAddress :65287 164.115.5.2:80 Here the pid 44496 I greped $ ps -aux|grep 44496 www 44496 0.0 21.3 445368 442940 ?? SThu11AM 203:49.39 /usr/local/bin/python2.4 /usr/local/www/Zope28/lib/python/Zope its conecting to the zope process : So it means some thing going wrong with my machine? that foreign ip has access through some holes of my plone/zope application right?
Re: [squid-users] Inspite squid in front of apache : direct connection from foreign IP address ? how to deny this ?
On Mar 28, 2008, at 12:35 AM, kk CHN wrote: On 3/28/08, Ric <[EMAIL PROTECTED]> wrote: What then is on ports 65287 and 64313 on your server? www python2.4 44496 20 tcp4 my_Serverbox_public_IPAddress :65287 164.115.5.2:80 Here the pid 44496 I greped $ ps -aux|grep 44496 www 44496 0.0 21.3 445368 442940 ?? SThu11AM 203:49.39 /usr/local/bin/python2.4 /usr/local/www/Zope28/lib/python/Zope its conecting to the zope process : So it means some thing going wrong with my machine? that foreign ip has access through some holes of my plone/zope application right? Someone connecting to the Zope server doesn't necessarily mean there is a "hole". Why don't you take a look at your Zope logs and see what that IP is doing. In any case, closing off ports to outside access is trivial. Either throw up a firewall or configure Zope to bind only to 127.0.0.1. Ric
Re: [squid-users] Inspite squid in front of apache : direct connection from foreign IP address ? how to deny this ?
On 3/28/08, Ric <[EMAIL PROTECTED]> wrote: > > On Mar 28, 2008, at 12:35 AM, kk CHN wrote: > > > On 3/28/08, Ric <[EMAIL PROTECTED]> wrote: > > >> What then is on ports 65287 and 64313 on your server? > > > > www python2.4 44496 20 tcp4 my_Serverbox_public_IPAddress > > :65287 164.115.5.2:80 > > > > Here the pid 44496 I greped > > > > $ ps -aux|grep 44496 > > www 44496 0.0 21.3 445368 442940 ?? SThu11AM 203:49.39 > > /usr/local/bin/python2.4 /usr/local/www/Zope28/lib/python/Zope > > > > its conecting to the zope process : So it means some thing going > > wrong with my machine? that foreign ip has access through some holes > > of my plone/zope application right? > > > > Someone connecting to the Zope server doesn't necessarily mean there > is a "hole". Why don't you take a look at your Zope logs and see what > that IP is doing. > > In any case, closing off ports to outside access is trivial. Either > throw up a firewall or configure Zope to bind only to 127.0.0.1. > I added a ipfw rule like this ipfw add deny tcp from 164.115.5.0/24 to me in my ipfw_firewall script and restarted the firewall sevice , but still the same ip is able to make connection as follows why this happens ? storm# sockstat -4p 80 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www python2.4 79874 11 tcp4 my_ipaddress :57060 164.115.5.2:80 www python2.4 79874 17 tcp4 my_ipaddress :64305 164.115.5.2:80 www httpd 73932 3 tcp4 127.0.0.1:80 *:* www httpd 849 3 tcp4 127.0.0.1:80 *:*
Re: [squid-users] Inspite squid in front of apache : direct connection from foreign IP address ? how to deny this ?
kk CHN wrote: On 3/28/08, Ric <[EMAIL PROTECTED]> wrote: On Mar 28, 2008, at 12:35 AM, kk CHN wrote: > On 3/28/08, Ric <[EMAIL PROTECTED]> wrote: What then is on ports 65287 and 64313 on your server? > > www python2.4 44496 20 tcp4 my_Serverbox_public_IPAddress > :65287 164.115.5.2:80 > > Here the pid 44496 I greped > > $ ps -aux|grep 44496 > www 44496 0.0 21.3 445368 442940 ?? SThu11AM 203:49.39 > /usr/local/bin/python2.4 /usr/local/www/Zope28/lib/python/Zope > > its conecting to the zope process : So it means some thing going > wrong with my machine? that foreign ip has access through some holes > of my plone/zope application right? Someone connecting to the Zope server doesn't necessarily mean there is a "hole". Why don't you take a look at your Zope logs and see what that IP is doing. In any case, closing off ports to outside access is trivial. Either throw up a firewall or configure Zope to bind only to 127.0.0.1. I added a ipfw rule like this ipfw add deny tcp from 164.115.5.0/24 to me in my ipfw_firewall script and restarted the firewall sevice , but still the same ip is able to make connection as follows why this happens ? storm# sockstat -4p 80 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www python2.4 79874 11 tcp4 my_ipaddress :57060 164.115.5.2:80 www python2.4 79874 17 tcp4 my_ipaddress :64305 164.115.5.2:80 www httpd 73932 3 tcp4 127.0.0.1:80 *:* www httpd 849 3 tcp4 127.0.0.1:80 *:* It's not an external connection inbound. It's Zope connecting outwards. Zope is loading a file from external websites for some reason. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Inspite squid in front of apache : direct connection from foreign IP address ? how to deny this ?
On Fri, 2008-03-28 at 10:27 +0530, kk CHN wrote: > $ sockstat -4p 80 > USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > www httpd 73932 3 tcp4 127.0.0.1:80 *:* > www python2.4 44496 20 tcp4 my_Serverbox_public_IPAddress > :65287 164.115.5.2:80 This is some python program requesting http content FROM 164.115.5.2:80. Could be a dynamic include in your website, or could be something very wrong. 164.115.5.2 advertises itself as linux.thai.net if that makes any sense to you.. Regards Henrik
