topic Re: Internet Usage in Operating System - HP-UX

Internet Usage

Nobody's Hero — Wed, 13 Aug 2003 12:29:47 GMT

My network team advised me that 6 or 8 of my Unix servers are showing over 100 hours of internet usage within the past month. All my servers are Oracle and Pesplesoft servers with no web servers running. The only thing I can think of is ISEE running constantly accress the net. Any ideas on who I can look into the UNIX box to see what is talking to the net?

Re: Internet Usage

Brian Bergstrand — Wed, 13 Aug 2003 12:33:21 GMT

Assumming you are looking for web traffic only.

You could have a cron job that logs the output of `netstat -a | grep 80` to a file somewhere.

This will catch any port 80, or 8080 accesses (outgoing or incoming), but may also catch non-web traffic.

HTH.

Re: Internet Usage

Nobody's Hero — Wed, 13 Aug 2003 12:41:43 GMT

netstat -a | grep -i 80 gives me this:

what is pwgr ?

910
6b08da00 dgram 0 0 7a512800 0 0 0 /var/spool/sockets/pwgr/client23987
6acee400 dgram 0 0 70f96800 0 0 0 /var/spool/sockets/pwgr/client16767
7128e800 stream 0 0 80432000 0 0 0 /opt/hpservices/adm/.serverSocket
6ad2e800 dgram 0 0 708fd000 0 0 0 /var/spool/sockets/pwgr/client16779
6bbbea00 dgram 0 0 726c7800 0 0 0 /var/spool/sockets/pwgr/client16751
6295ec00 dgram 0 0 8c287800 0 0 0 /var/spool/sockets/pwgr/client10320
611ff000 dgram 0 0 60777800 0 0 0 /var/spool/pwgr/daemon
6090f000 dgram 0 0 60c97800 0 0 0 /opt/dcelocal/var/rpc/local/00984/reaper
62d0f400 dgram 0 0 86ac7800 0 0 0 /var/spool/sockets/pwgr/client17287
6ad0f600 dgram 0 0 71228000 0 0 0 /var/spool/sockets/pwgr/client16773
6bc9f800 dgram 0 0 71226800 0 0 0 /var/spool/sockets/pwgr/client16745
6ae8f800 dgram 0 0 6a5ac800 0 0 0 /var/spool/sockets/pwgr/client16729
62ecfe00 dgram 0 0 93286800 0 0 0 /var/spool/sockets/pwgr/client11125
62e7fe00 dgram 0 0 62757800 0 0 0 /var/spool/sockets/pwgr/client4987

Re: Internet Usage

Brian Bergstrand — Wed, 13 Aug 2003 12:52:50 GMT

Like I said, you are catching non-web (and in this case non-network) traffic. All of those lines you pasted are from LOCAL socket connections. They are not network based at all, but just an IPC channel in the kernel. So, you can ignore those. Just look for ones with IP address and valid ports. You should be able to tweak the grep to get rid of these local only sockets.

HTH.

Re: Internet Usage

Nobody's Hero — Wed, 13 Aug 2003 13:08:25 GMT

Ok, so when I run netstat -a I see this:

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 ihshp10.49979 ihshp10.registrar TIME_WAIT
tcp 0 0 *.dtspc *.* LISTEN
tcp 0 0 *.4045 *.* LISTEN
tcp 0 0 ihshp10.8052 *.* LISTEN
tcp 0 0 ihshp10.8050 *.* LISTEN
tcp 0 0 ihshp10.8003 *.* LISTEN
tcp 0 0 ihshp10.8002 *.* LISTEN
tcp 0 0 ihshp10.8001 *.* LISTEN
tcp 0 0 ihshp10.8000 *.* LISTEN
tcp 0 0 ihshp10.65340 ihshp10.610 ESTABLISHED
tcp 0 0 ihshp10.57068 ihshp14.1521 ESTABLISHED
tcp 0 0 ihshp10.57065 ihshp14.1521 ESTABLISHED
tcp 0 0 ihshp10.57062 ihshp14.1521 ESTABLISHED

like ihshp10.57602

What is 57602, a port being used?

Re: Internet Usage

Mark Greene_1 — Wed, 13 Aug 2003 13:09:16 GMT

Ask your network team how they define internet usage. Are they looking at a specific range of tcp ports, or at all traffic hitting the firewall, or what?

Do you have sendmail running on these servers? Do your applications or databases send automated mail outside your network, to a pop mailer outside your network? Check with your applications people to see if you had anyone coming in via telnet or ftp or ssh from outside your network to do work on any of your systems.

Are your running security_patch_check on these systems, or doing any other FTPs to systms outside your network? If this the first time your network group has run this sort of audit, they may actually be seeing a normal month's usage of the network.

mark

Re: Internet Usage

Frauke Denker_2 — Wed, 20 Aug 2003 09:35:55 GMT

The network traffice might be caused by ISEEs polling mechanism. The polling is necessary to recieve updates of any open cases and for outstanding map requests, as the internet connection is only outbound. If the network traffic is causing any problems, there is a way to change the polling rate but be aware that this will reduce the functions the polling offers. to reduce the interval edit the file:
/opt/hpservices/vendors/HP_Services/vendor.pref
and change the variable "POLL_INTERVAL". By default it is set to 190 seconds. The systems should at least poll a few times per day. After changing the POLL_INTERVAL restart the hpservices by /sbin/init.d/hpservices stop/start

Re: Internet Usage

Ron Kinner — Thu, 21 Aug 2003 01:36:02 GMT

Your netstat does not show any traffic to the internet. At least there are no established connections. Your only connections are between two machines with similar names so I assume they are both local.

tcp 0 0 ihshp10.65340 ihshp10.610 ESTABLISHED
tcp 0 0 ihshp10.57068 ihshp14.1521 ESTABLISHED

The 65340 is the port it (the local machine called ihshp10) used as the source of the connnection. (Port numbers are chosen at random these days. They used to go up one at a time but a spoofer could exploit the predictability so they changed it.) It made a connection to itself on port 610. TCP/IP is often used to communicte between two processes running on the same machine so this is normal. 610 is a registered port and is supposed to be used for: npmp-local whatever that may be.

On the second line it uses port 57068 to connect to ihshp14 on port 1521. 1521 is also a registered port and is supposed to be used for: nCube License Manager

I suspect someone (Peoplesoft or Oracle) is reusing these ports for their own purposes.

You might look at
netstat -s
and see if you have a large number or UDP packets being sent out since it does not appear that you are going out to the internet via tcp at this instant in time. To see these packets would require something like tcpdump, snort or a sniffer. The network guys should have a sniffer so ask them to tell you where this supposed internet traffic is going to.

Ron

Re: Internet Usage

Steven E. Protter — Thu, 21 Aug 2003 01:59:33 GMT

so many possible causes. Can't your team give you a little more direction. Like what web sites were being accessed.

If you installed Bastille and answered the security_patch_check question y there will be some Internet access, though not a lot. That product could be installed standalone as well.

If you get the website you might get the product.

Also, if you installed IP filter firewall, it can bet set up to provide NAT access to other servers and workstations, which will show up on some analaysis as server access. This should only be an issue if there is a direct connection to the Internet on those servers.

This gives you an idea of how big a fishing expedition you might have been sent on. If they are tracking access they should be able to tell you where it goes.

If its those sites with pictures nice guys don't look at, you've got a security problem.

Alos note, if you have netscape or IE for HP-UX or mozilla installed, any X windows user on your servers can access the net. Wow that fishing exedition just got huge.

Sorry, home from vacation, in kind of a mood. Must have been all that thin air.

SEP
aka
former Sundance Wyoming HP Sysadmin.