What is this IP coming from Belize used by the seafile server?

I ran the command ‘netstat -tap’ on my pi server where I run a seafile server.
And I saw a lot of tcp6 connections with a server at IP 190.115.22.205
Tens of lines in the form:
tcp6 0 0 <my domain>:http 190.115.22.205:<a port> SYN_RECV -

I stopped seafile and reran the netstat command and all those lines vanished.
I restarted seafile and they reappeared!

I trace the IP address, it appears to be a server in Belize!!!

So, WTF??? How can you explain this???
Are you spying at us? Are you using our personal servers for something?

Hi Olivier,
I do not see this at all with my server seafile. Here is a copy of screen:

root@seafile:~# netstat -tap
Connexions Internet actives (serveurs et établies)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat PID/Program name
tcp 0 0 *:8082 : LISTEN 1297/seaf-server
tcp 0 0 :41236 : LISTEN 346/rpc.statd
tcp 0 0 :ssh : LISTEN 449/sshd
tcp 0 0 :8888 : LISTEN 964/rslsync
tcp 0 0 localhost:smtp : LISTEN 1234/exim4
tcp 0 0 :https : LISTEN 497/nginx -g daemon
tcp 0 0 localhost:8125 : LISTEN 1614/netdata
tcp 0 0 :19999 : LISTEN 1614/netdata
tcp 0 0 localhost:8000 : LISTEN 1422/python2.7
tcp 0 0 :51328 : LISTEN -
tcp 0 0 :42242 : LISTEN 964/rslsync
tcp 0 0 localhost:mysql : LISTEN 653/mysqld
tcp 0 0 localhost:11211 : LISTEN 448/memcached
tcp 0 0 :sunrpc : LISTEN 329/rpcbind
tcp 0 0 :http : LISTEN 497/nginx -g daemon
tcp 0 0 192.168.1.122:https 192.168.1.254:55622 FIN_WAIT2 -
tcp 0 0 localhost:8082 localhost:58773 TIME_WAIT -
tcp 0 0 192.168.1.122:https 192.168.1.254:55599 FIN_WAIT2 -
tcp 0 0 localhost:mysql localhost:42543 ESTABLISHED 653/mysqld
tcp 0 0 192.168.1.122:688 192.168.1.100:nfs ESTABLISHED -
tcp 1 0 localhost:40959 localhost:mysql CLOSE_WAIT 1297/seaf-server
tcp 0 0 localhost:8082 localhost:58774 TIME_WAIT -
tcp 0 0 localhost:8082 localhost:58716 TIME_WAIT -
tcp 0 0 192.168.1.122:https 192.168.1.254:55656 ESTABLISHED 499/nginx: worker p
tcp 0 0 192.168.1.122:42242 192.168.1.1:54255 ESTABLISHED 964/rslsync
tcp 0 0 localhost:8082 localhost:58803 TIME_WAIT -
tcp 0 0 192.168.1.122:https 192.168.1.254:49818 ESTABLISHED 499/nginx: worker p
tcp 0 0 localhost:8082 localhost:58775 TIME_WAIT -
tcp 0 0 localhost:8082 localhost:58786 TIME_WAIT -
tcp 0 0 192.168.1.122:https 192.168.1.254:49827 FIN_WAIT2 -
tcp 0 0 192.168.1.122:42242 192.168.1.1:54254 ESTABLISHED 964/rslsync
tcp 0 0 localhost:8082 localhost:58764 TIME_WAIT -
tcp 0 0 192.168.1.122:42242 192.168.1.2:51953 ESTABLISHED 964/rslsync
tcp 0 0 localhost:8082 localhost:58707 TIME_WAIT -
tcp 0 0 localhost:8082 localhost:58778 TIME_WAIT -
tcp 0 0 192.168.1.122:https 192.168.1.254:55567 FIN_WAIT2 -
tcp 0 0 localhost:8082 localhost:58765 TIME_WAIT -
tcp 0 0 localhost:8082 localhost:58717 TIME_WAIT -
tcp 0 0 localhost:42543 localhost:mysql ESTABLISHED 1297/seaf-server
tcp 0 0 192.168.1.122:https 192.168.1.254:49829 FIN_WAIT2 -
tcp 0 0 localhost:44454 localhost:11211 ESTABLISHED 1633/python
tcp 0 0 192.168.1.122:42242 192.168.1.2:51955 ESTABLISHED 964/rslsync
tcp 0 0 192.168.1.122:42242 192.168.1.2:51954 ESTABLISHED 964/rslsync
tcp 0 0 192.168.1.122:https 192.168.1.254:49815 FIN_WAIT2 -
tcp 0 0 localhost:42544 localhost:mysql ESTABLISHED 1297/seaf-server
tcp 0 320 192.168.1.122:ssh 192.168.1.1:49229 ESTABLISHED 13084/0
tcp 0 0 localhost:8082 localhost:58728 TIME_WAIT -
tcp 0 0 localhost:8082 localhost:58720 TIME_WAIT -
tcp 0 0 192.168.1.122:https 192.168.1.254:55619 FIN_WAIT2 -
tcp 1 0 localhost:53821 localhost:mysql CLOSE_WAIT 1297/seaf-server
tcp 0 0 localhost:8082 localhost:58745 TIME_WAIT -
tcp 0 0 localhost:mysql localhost:42544 ESTABLISHED 653/mysqld
tcp 0 0 192.168.1.122:42242 192.168.1.1:54253 ESTABLISHED 964/rslsync
tcp 0 0 localhost:8082 localhost:58766 TIME_WAIT -
tcp 0 0 localhost:11211 localhost:44454 ESTABLISHED 448/memcached
tcp 0 0 localhost:8082 localhost:58708 TIME_WAIT -
tcp 0 0 localhost:8082 localhost:58715 TIME_WAIT -
tcp 0 0 192.168.1.122:https 192.168.1.254:49828 FIN_WAIT2 -
tcp6 0 0 [::]:ssh [::]:
LISTEN 449/sshd
tcp6 0 0 localhost:smtp [::]:
LISTEN 1234/exim4
tcp6 0 0 localhost:8125 [::]:
LISTEN 1614/netdata
tcp6 0 0 [::]:19999 [::]:
LISTEN 1614/netdata
tcp6 0 0 [::]:42242 [::]:
LISTEN 964/rslsync
tcp6 0 0 [::]:33835 [::]:
LISTEN -
tcp6 0 0 [::]:40684 [::]:
LISTEN 346/rpc.statd
tcp6 0 0 [::]:sunrpc [::]:
LISTEN 329/rpcbind
tcp6 0 0 localhost:9200 [::]:
LISTEN 1283/java
tcp6 0 0 localhost:9200 localhost:54887 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54873 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54837 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54816 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54895 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54894 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54863 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54911 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54845 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54818 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54838 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54912 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54847 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54817 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54846 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54862 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54896 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54829 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54874 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54830 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54885 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54855 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54854 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54856 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54839 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54903 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54875 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54902 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54913 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54828 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54904 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54864 TIME_WAIT -
tcp6 0 0 localhost:9200 localhost:54886 TIME_WAIT -
root@seafile:~#

I think you should check your environment before to spit on Seafile.
Belize is French. Do you think serioulsy that we have servers in Belize spying you? :alien:

Hi Jobenvil, don’t want to spit on seafile, just want an answer to my question…
First, Belize is not French at all, I don’t know where you saw that. Just have a look at wikipedia: https://en.wikipedia.org/wiki/Belize
Second, what I can say about my environment is exactly what I said in my previous message.
With seafile started (and that’s just a few lines):
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:12718 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:7710 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:49301 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:44065 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:50825 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36564 TIME_WAIT -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:25721 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36598 TIME_WAIT -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:51315 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:60325 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36580 TIME_WAIT -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:53054 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:25790 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:1469 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36578 TIME_WAIT -
tcp6 0 0 levillain.fr.nf:https freebox:36584 TIME_WAIT -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:36532 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:54444 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36596 FIN_WAIT2 -
tcp6 0 0 levillain.fr.nf:https freebox:36558 TIME_WAIT -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:6440 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:26772 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36572 TIME_WAIT -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:32272 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36566 TIME_WAIT -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:31946 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:42033 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36552 TIME_WAIT -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:57483 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36604 ESTABLISHED -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:53780 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:44585 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:4654 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:8741 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:34344 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36562 TIME_WAIT -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:59441 SYN_RECV -
tcp6 0 0 levillain.fr.nf:https freebox:36602 FIN_WAIT2 -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:64745 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:2942 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:41381 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:14354 SYN_RECV -
tcp6 0 0 levillain.fr.nf:http 190.115.22.205:53662 SYN_RECV -

So I didn’t invent this.
When I stopped seafile, they all disappeared, when I restarted it, they all reappeared.
I can send you the output of the netstat commands with and without seafile, I recorded them.
I’m not that kind of guy who see plots everywhere, I even hate that
So if this is a coincidence, ok but admit I can ask some question, no?

1 Like

My bad, I don’t know why I linked Belize to old french colony…

It is a headless server? Do you have nginx installed?

In my system:

root@hiperborea ~ # netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:8200                  *:*                     LISTEN      1102/minidlnad
tcp        0      0 *:4200                  *:*                     LISTEN      796/shellinaboxd
tcp        0      0 localhost:mysql         *:*                     LISTEN      1264/mysqld
tcp        0      0 hiperborea:netbios-ssn  *:*                     LISTEN      1401/smbd
tcp        0      0 *:hostmon               *:*                     LISTEN      981/systemd-resolve
tcp        0      0 *:sunrpc                *:*                     LISTEN      764/rpcbind
tcp        0      0 *:webmin                *:*                     LISTEN      1434/perl
tcp        0      0 *:http                  *:*                     LISTEN      1025/nginx -g daemo
tcp        0      0 *:8082                  *:*                     LISTEN      1432/seaf-server
tcp        0      0 *:ftp                   *:*                     LISTEN      1017/vsftpd
tcp        0      0 *:ssh                   *:*                     LISTEN      987/sshd
tcp        0      0 hiperborea:microsoft-ds *:*                     LISTEN      1401/smbd
tcp        0      0 localhost:8000          *:*                     LISTEN      1865/python2.7
tcp        0      0 hiperborea:http         p4FE46A90.dip0.t-i:1389 ESTABLISHED 1033/nginx: worker
tcp        0      0 hiperborea:http         p4FE46A90.dip0.t-i:1437 ESTABLISHED 1032/nginx: worker
tcp        0      0 hiperborea:http         p4FE46A90.dip0.t-:46573 ESTABLISHED 1033/nginx: worker
tcp        0    208 hiperborea:ssh          Achilles.fritz.bo:49583 ESTABLISHED 26942/0
tcp        0      0 hiperborea:microsoft-ds freya.fritz.box:1348    ESTABLISHED 26237/smbd
tcp        0      0 hiperborea:http         p4FE46A90.dip0.t-:47400 ESTABLISHED 1033/nginx: worker
tcp        0      0 hiperborea:http         p4FE46A90.dip0.t-:49600 ESTABLISHED 1030/nginx: worker
tcp        0      0 hiperborea:http         p4FE46A90.dip0.t-:46571 ESTABLISHED 1033/nginx: worker
tcp        0      0 hiperborea:http         p4FE46A90.dip0.t-:46558 ESTABLISHED 1032/nginx: worker
tcp        0      0 hiperborea:microsoft-ds Achilles.fritz.bo:29957 ESTABLISHED 22571/smbd
tcp        0      0 hiperborea:http         p4FE46A90.dip0.t-:49599 ESTABLISHED 1033/nginx: worker
tcp6       0      0 [::]:hostmon            [::]:*                  LISTEN      981/systemd-resolve
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      764/rpcbind
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      987/sshd

that’s all, more is not there. Try to format your output with the markdown symbols “< / >”, therefore is easier to recognice.

What is the IP-range of your local network?

@jobenvil,
I don’t have nginx installed but apache2 as an https reverse proxy to seafile
@Bernie_O
It’s a small network 192.168.0.0/24.
Actually, it’s the one defined by “freebox” in the list above which is my gateway.

I retried the netstat command jsut now and it seems that, even with seafile started, the weird connexions are gone.
So I will monitor that closely…

https://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks

http://www.tux-planet.fr/contrer-une-attaque-ddos-de-type-syn-flood-sous-linux/

Your problem has nothing to do with seafile, you are victims of a attack of type DDOS type SYN flood …
@Olivier_LEVILLAIN si tu a une freebox , tu est en France comme moi…
J ai aussi une Freebox , tu dois avoir certains port ouvert sur ton ip qui se fait sniffer ou attaquer …
.Tu dois utiliser le port 443 et 80 pour seafile? a travers un proxy , ce sont les seuls qui devrait être ouvert.
Un conseil , si tu utilise linux, passe par Nginx , il est complémentaire a Apache et très stable avec seafile …Et tu utilise la version Pro ou CE ?
N’écoute pas trop jobenvil , j’ai l impression qu’il fait de l aide humanitaire avec seafile :slight_smile: