We have a shared webserver which is being monitored constantly by our ZABBIX age

Question

We have a shared webserver which is being monitored constantly by our ZABBIX agent. On some hours of day we have unusual TCP traffic on port 80. Lets say we have over 400 connections from IP address of 109.230.67.50 to our webserver.

We can easily block any connection from and to 109.230.67.50 from IPTABLES but we want to know which of our VIRTUAL HOSTS is receiving this connection or which of our VIRTUAL HOST scripts is making this outgoing connection to that specific IP address.

We are assuming that we have two scenarios. One for INBOUND and one for OUTBOUND

Is there any tool or way to find out exactly what website is receiving the connection or what script on our server is making outgoing connection to that IP?

It is noteworthy it is a CentOS6.5 server and we are using LITESPEED as webserver.

Explanation / Answer

Blocking an IP address at the firewall typically means dropping or rejecting the initial packet of a TCP connection during connection setup. The virtual host that the client is trying to connect to isn't known until much later, once the TCP connection is established and the client starts sending the HTTP request (specifically, you're looking for the Host: header).

You might be able to handle this at the firewall level, using some fancy combination of state-tracking and packet payload inspection, but you're much better off doing this at the webserver level, using whatever access-control mechanisms it provides

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.