A lot of connections from 127.0.0.1

myk8022 · #1 04-06-2010, 07:53 AM

Hi,

My server became really slow today and the loads were quite high.

So I checked what IPs were connecting to the server..
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

And I saw something like:
130 127.0.0.1

Why were there so many connections from localhost? Is it some kind of synflood/DOS attack originating from the server? It's happened a few times recently now.. any advice would be appreciated, thanks.

**larwilliams** · #2 04-06-2010, 08:15 AM

It could be a poorly written script that is using http to access data or other pages.

LVPSHosting · #3 04-06-2010, 08:56 AM

Can you see and tell us with "netstat -anlp" which service/program these connections belong too?

ksv2nash · #4 04-06-2010, 09:17 AM

Hello,

You can you this scripts to stop this
[root@xxxx~]# cat undos.sh
#!/bin/bash
#date = `date`
#echo "undos ran on $date" >> /var/log/undos.log
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1|awk '$1>30{print $2;}' > /root/ips.txt
for ip in `awk '{print;}' < /root/ips.txt`
do
apf -d $ip
done
rm -f /root/ips.txt
killall -9 httpd
killall -9 httpd
/etc/init.d/httpd startssl
[root@xxxx~]#

MrSaints · #5 04-09-2010, 07:40 AM

Are you using cPanel?
If so, that's quite expected since those requests coming from 127.0.0.1 could possibly be coming from the chksrvd daemon to verify that Apache is online. They don't tend to consume much CPU time though

If possible, get a screenshot of your:
top -c

So we can figure out where exactly the load is coming from.

Sileep Kumar M S · #6 04-10-2010, 07:31 AM

Quote:

Originally Posted by ksv2nash

Hello,

You can you this scripts to stop this
[root@xxxx~]# cat undos.sh
#!/bin/bash
#date = `date`
#echo "undos ran on $date" >> /var/log/undos.log
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1|awk '$1>30{print $2;}' > /root/ips.txt
for ip in `awk '{print;}' < /root/ips.txt`
do
apf -d $ip
done
rm -f /root/ips.txt
killall -9 httpd
killall -9 httpd
/etc/init.d/httpd startssl
[root@xxxx~]#

If you are using apf, above script will block all IPs having 30+ http connection!

For ksv2nash: If you paste a script please explain the working also.

mabnux · #7 05-01-2010, 02:41 AM

Hi,

what you can edit( $1>30) to the number of connections that you wish to restrict connecting to server

HAND

LearnNginx · #8 03-10-2013, 11:37 PM

I'm also getting this error, any fixes? I am getting a lot of connections from 127.0.0.1

dale · #9 03-10-2013, 11:50 PM

If you see a lot of connection from 127.0.0.1, like:

Quote:

127.0.0.1 - - [26/Feb/2013:16:00:58 +0800] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [26/Feb/2013:16:00:59 +0800] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [26/Feb/2013:16:01:00 +0800] "OPTIONS * HTTP/1.0" 200 -

This is probably Apache (assuming this is what you use) polling child processes. This is perfectly harmless. But yes, it's annoying.

To get rid of it, add a SetEnvIf in your httpd.conf, e.g.:

Quote:

SetEnvIf Remote_Addr "127\.0\.0\.1" loopback
CustomLog logs/access_log combined env=!loopback

If you use a control panel like cPanel, you might need to go through extra steps to make sure the configuration sticks. In the case of cPanel, you'll need to run the distiller, i.e.: apache_conf_distiller --update

Be sure to cat access_log|tail -n10 (or something like that) to make sure that the SetEnvIf is working. Hope this helps.