1 Topic by baobab

  • baobab
  • Member
  • Offline
  • Registered: 2016-11-05
  • Posts: 21

Topic: Postgres UDP connections

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
====

Continuing from http://www.iredmail.org/forum/topic1200 … thon-proce

This mystery "python" process is showing up on Tiger Auditing reports again.

OLD: --WARN-- [lin002i] The process `python' is listening on socket 57954 (UDP) on every interface.

The port changes randomly, but it's always 5XXXX.

ubuntu@ip-172-31-19-3:~$  sudo netstat -anlp | grep 'udp'
udp        0      0 127.0.0.1:56743         127.0.0.1:56743         ESTABLISHED 1163/postgres

Does this indicate that postgres is connected to itself via port 56743? I'm confused.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Postgres UDP connections

I'm confused too. iRedMail doesn't have a program listening on random ports.

You may need to check processes with command "ps aux" and "lsof -i :<port>” ( check which program is listening on the port) to figure it out.

3 Reply by baobab

  • baobab
  • Member
  • Offline
  • Registered: 2016-11-05
  • Posts: 21

Re: Postgres UDP connections

lsof -i :56743 doesn't return anything, probably because the connection is "established" rather than "listening". I think the Tiger Auditing report that says it's listening is only from a very small time window before the connection is established.

Here are some results from ps aux:

ubuntu@ip-172-31-19-3:~$ ps auxwww | grep 'python'
iredapd   1515  0.0  1.2 146092 13124 ?        S    Nov27   0:00 python /opt/iredapd/iredapd.py
root      1518  0.0  1.3 684536 13252 ?        Sl   Nov27   1:02 /usr/bin/python3 /usr/bin/fail2ban-server -s var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

ubuntu@ip-172-31-19-3:~$ ps auxwww | grep 'postgres'
postgres  1163  0.0  1.3 293380 13512 ?        S    Nov27   0:05 /usr/lib/postgresql/9.5/bin/postgres -D /var/lib/postgresql/9.5/main -c config_file=/etc/postgresql/9.5/main/postgresql.conf
postgres  1170  0.0  0.8 293504  8768 ?        Ss   Nov27   0:00 postgres: checkpointer process
postgres  1171  0.0  0.4 293380  4156 ?        Ss   Nov27   0:00 postgres: writer process
postgres  1172  0.0  0.7 293380  7244 ?        Ss   Nov27   0:01 postgres: wal writer process
postgres  1173  0.0  0.4 293876  5072 ?        Ss   Nov27   0:02 postgres: autovacuum launcher process
postgres  1174  0.0  0.2 148792  2784 ?        Ss   Nov27   0:02 postgres: stats collector process
postgres 12487  0.0  1.4 295188 14924 ?        Ss   06:59   0:00 postgres: amavisd amavisd 127.0.0.1(38316) idle
postgres 15093  0.0  1.4 295180 14316 ?        Ss   08:00   0:00 postgres: amavisd amavisd 127.0.0.1(38374) idle
postgres 15863  0.0  1.3 295060 14032 ?        Ss   09:18   0:00 postgres: vmail vmail 127.0.0.1(38416) idle
postgres 17442  0.0  1.3 294408 13360 ?        Ss   10:41   0:00 postgres: vmail vmail 127.0.0.1(38780) idle
postgres 17443  0.0  1.2 294436 13032 ?        Ss   10:41   0:00 postgres: amavisd amavisd 127.0.0.1(38782) idle
postgres 17444  0.0  1.2 294444 12648 ?        Ss   10:41   0:00 postgres: iredapd iredapd 127.0.0.1(38784) idle
postgres 18378  0.0  1.2 294428 13100 ?        Ss   11:47   0:00 postgres: vmail vmail 127.0.0.1(38954) idle
postgres 18379  0.0  1.2 294428 13100 ?        Ss   11:47   0:00 postgres: vmail vmail 127.0.0.1(38956) idle

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Postgres UDP connections

Iif it's just "established", not "listening", MAYBE it's script " spf_to_greylisting_whitelists.py", it queries dns server regularly (please check root's cron job).