From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <5f0faf0671d7d4270b5666c6ef62f66b@kw.quanstro.net> References: <5f0faf0671d7d4270b5666c6ef62f66b@kw.quanstro.net> Date: Sat, 26 Jun 2010 12:03:27 -0600 Message-ID: From: andrey mirtchovski To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Subject: Re: [9fans] Cleaning up the IP tables Topicbox-Message-UUID: 3753e308-ead6-11e9-9d60-3106f5b1d025 Further to what Erik said, the closed connections don't accumulate over time, they're the result of a single attack or a portscan. subsecuent attacks only reuse them without increasing their number. you'll notice that most of the connections were made from the same IP. On 9grid there are 500+ connections in the "closed" state, all from the same IP which, it appears from the logs, ran an automated scanner for vulnerable websites: clf:131.94.130.46 - - [03/Jun/2010:06:24:47 +0000] "GET /admin/lang.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:47 +0000] "GET /inc/pipe.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET /include/write.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET /becommunity/community/index.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET /modules/xoopsgallery/upgrade_album.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET /modules/mod_mainmenu.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:49 +0000] "GET /modules/agendax/addevent.inc.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:49 +0000] "GET /shoutbox/expanded.php HTTP/1.1" 404 0 clf:131.94.130.46 - - [03/Jun/2010:06:24:49 +0000] "GET /modules/xgallery/upgrade_album.php HTTP/1.1"