Regarding Difference on
(used for Packet Monitoring) TCPDUMP - we can use this to capture the
packets on various ports,protocols and ip addresses.. its just a dump copy
of what is happening on it..
(used for analyzing network activity) NET STAT- gives just a status of your
live activity of your system in network ( port,protocol,ip wise ) not an
report or dump like TCPDUMP..
then Regarding 53 port closing kindly check whether your have server
getting resolved in public..if your client access it through name then it
wont resolve them ..kindly check it and do..
check also the provider message for blocking it.
Regards
Naresh kumar v
On Wed, Nov 4, 2015 at 6:12 PM, Vikas Tara <vik at hamaralinux.org> wrote:
On 04/11/15 11:59, Marikkannan Rajagopal wrote:
Dear All.,is in
I am facing the issue on live server and the live server
"CENTOS",some malicious hit is going out of my server through the port",and
number 53 and even though I ran too many too like rkhunter,etc. But I
didn't found the malicious file or output from my server itself.
And the host name is consider as malicious is "irc.nets.hk
it doesn't have any valid ipaddress.,and result of this my cloud providerapplication.
DNS blocked my server ip.
Can I block the port number 53 in my server itself (both
outgoing/incoming ).,and I didn't use the port number 53 for my
port
I can see the output only through "tcpdump on the specfic
53"using
Results:
11:46:37.568099 IP 119.19.44.31.48427 >
119.19.60.62.53: 14465+ A? irc.nets.hk. (29)
11:46:40.707735 IP 119.19.44.31.58955 > 119.19.60.63.53: 1919+ A?
irc.nets.hk. (45)
11:46:45.712962 IP 119.19.44.31.57951 > 119.19.60.62.53: 1919+ A?
irc.nets.hk. (45)
11:46:48.718333 IP 119.19.44.1.39769 > 119.19.60.63.53: 15764+ A?
irc.nets.hk. (29)
But I didn't get any results on my netstat and isof.,
Kindly share difference between tcpdump and netstat
Through Iptables we have block the port number 53 ? Is it
possible on OS level ?
Blocking of port 53 make any issue on server because I am
port 22,25,80 and 443.Looks like a DNS request. If you block outgoing port 53 you will likely
What actually the port 53 do in default server's.
not be able to resolve DNS.
Did your provider tell you in detail why they blocked your access to
their DNS?
You could try running suricata on your host to see if it tells you more
about suspicious network activity.
http://suricata-ids.org/
HTH
Vik
--
Founder - Hamara Linux
www.hamaralinux.org
www.twitter.com/hamaralinux
_______________________________________________
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
ILUGC Mailing List Guidelines:
http://ilugc.in/mailinglist-guidelines