From owner-freebsd-hackers@FreeBSD.ORG Wed May 14 19:18:52 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A75B1065674 for ; Wed, 14 May 2008 19:18:52 +0000 (UTC) (envelope-from to.my.trociny@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.185]) by mx1.freebsd.org (Postfix) with ESMTP id 8EA468FC0C for ; Wed, 14 May 2008 19:18:50 +0000 (UTC) (envelope-from to.my.trociny@gmail.com) Received: by fk-out-0910.google.com with SMTP id k31so32854fkk.11 for ; Wed, 14 May 2008 12:18:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:to:subject:references:organization:from:date:in-reply-to:message-id:user-agent:mime-version:content-type; bh=15lGqO6i93R5LYMNUFAcal6V2DKxrYp8b8LwNBeYDQQ=; b=ZnTHr+8Q/gpAl5YbtIII8nZnstiTaALQ6W8N4yAyuNYmtjEa9LLZ1wU8BypW/zkb6YwrOCe86iE+2X4bWi5mKxApdEGu36YdXjfCVoq1zdZy7jo2oOHu9iUhmiLWoHApoZvK4QWOocVleZ9qut+u1vljz/5IUV86O5OeScxLDA0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=to:subject:references:organization:from:date:in-reply-to:message-id:user-agent:mime-version:content-type; b=qC1UHkp0YfWV6A3M7ByfiLFoVMbxf8u5cUBQCrhXtQc86oD3d8VMgERFm5gM6K1B6RuZBL37Qh4CHWOM6bpvJv8b880Ij6Vuj/h7e5aRdf2iDwufLRGZrlJUY2Tk3cAv2ywjsZnGkLDSkTgtdpM9vsl5/Ik/PWnU/VHenSBB0bw= Received: by 10.125.87.8 with SMTP id p8mr749072mkl.80.1210792729186; Wed, 14 May 2008 12:18:49 -0700 (PDT) Received: from localhost ( [80.85.90.67]) by mx.google.com with ESMTPS id 3sm2010358fge.3.2008.05.14.12.18.47 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 14 May 2008 12:18:48 -0700 (PDT) To: References: <482A2639.7000401@datapipe.com> <81zlqtfazy.fsf@zhuzha.ua1> <482AED3B.1020307@datapipe.com> Organization: TOA Ukraine From: Mikolaj Golub Date: Wed, 14 May 2008 22:18:45 +0300 In-Reply-To: <482AED3B.1020307@datapipe.com> (Mark Saad's message of "Wed\, 14 May 2008 09\:46\:35 -0400") Message-ID: <81y76c7kyy.fsf@zhuzha.ua1> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Socket leak X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 19:18:52 -0000 On Wed, 14 May 2008 09:46:35 -0400 Mark Saad wrote: MS> Mikolaj MS> Thanks for the input, did you change any of the options for MS> TimeoutLinger or TimeoutIdle ? No, I didn't MS> The Proftpd I am running is build for 6.3-RELEASE here are the build MS> options MS> Compile-time Settings: MS> Version: 1.3.0a MS> Platform: FREEBSD6 (FREEBSD6_3) MS> Built With: MS> configure CPPFLAGS=-DHAVE_OPENSSL --localstatedir=/var/run MS> --disable-sendfile --disable-ipv6 MS> --with-modules=mod_sql:mod_sql_mysql:mod_check_mysql:mod_check_digest MS> --prefix=/usr/local MS> --with-includes=/usr/local/include/mysql:/usr/include/openssl MS> --with-libraries=/usr/local/lib/mysql It might be that it is not proftpd but other application that cause the leak. Anyway, to check if it is proftpd, look in its logs for entries like these: Entering Passive Mode (192,168,0,213,241,70). FTP session closed. Convert the last two numbers to port (241*256+70) and check by netstat if you still have this connection. If you have, then it is likely this is the same situation as in my case and the proftpd is a problem. Upgrade to 1.3.1 from ports then. If proftpd is ok, look for other applications. Search for connections reported by netstat as ESTABLISHED but not displayed by sockstat utility. You could run something like this: netstat -an | grep ESTABL | while read b l a local remote state; do echo -n "$local $remote: " sockstat | sed -e 's/:/./g' | grep -c "$local *$remote" done Look for sockets with 0 count. These are suspicious ones. Observe these sockets by netstat and try to figure out what application they could belong and dig in that direction. -- Mikolaj Golub