1

I've seen a lot of questions with people concerned about lots of TIME_WAITs in netstat. I'm having a similar problem but all the TIME_WAITs are coming from the same IP address. I get over 200 of the following line:

tcp6 0 0 myip:80 otherip:##### TIME_WAIT

Is getting 200+ of these, all with the same IP for otherip, a bad sign of something? I have multiple sites running, but with low traffic. With all the sites combined, I get under 200 visits a day registered through Google Analytics. I'm using Apache as a server. I've had this problem at other times as well, originating from different IP addresses. When this happens, I check netstat in response to monitoring checks that I have set up with Rackspace. These usually include warnings or critical errors for server load and memory, and sometimes for long response times from my server.

There have also been several times where MySQL would stop working when this happens. I have 1 GB of RAM plus 1 GB of swap space.

Edit: I did a bit more searching and looked through my Apache log files. I'm pretty worried now because there were tons of POST accesses to wp-login.php for Wordpress (almost 4000 of them), so I'm guessing someones trying to hack a password. Apart from changing the password, is there anything else I can do about this?

user213510
  • 11
  • 1
  • 3
  • This sounds like either a slowloris attack, or you've got random bots probing your machine for security issues. – devicenull Mar 24 '14 at 00:40
  • Eventually my MySQL databases got screwed up. I added security measures, now other parts (outside of the Wordpress sites) are being attacked. Fortunately I stopped the most recent attack, although that attack is still in progress (just not causing damage anymore). I'm guessing they're just doing it for fun, I don't really have anything of use on my sites. I'm expecting a new attack tomorrow. At least I'm learning a lot from it, especially about setting up secure websites. – user213510 Mar 25 '14 at 01:25

1 Answers1

-1

First of all,just want to clarify that TIME_WAIT has nothing to do from OS side and it's the responsibility of application to close these sockets.

Generally sockets enters into these kind of states when it's not received data for set period of time and OS simply can't kill these kind of connection without application permission,so the socket is kept on open waiting for timeout or a response from foreign hosts.In your case i.e apache this generally happen when client asking for data and never completely closing the socket.

So to further debug this issue,run

netstat -antulp|grep -i time_wait

Check the pid of the application that has not closed the socket.

Prashant Lakhera
  • 713
  • 2
  • 10
  • 25
  • No, this is not correct. That's not what TIME_WAIT means, see http://superuser.com/questions/173535/what-are-close-wait-and-time-wait-states – devicenull Mar 24 '14 at 04:09