server attacks and netstat

hello all - a couple of weeks ago Eric was kind enough to share with me netstat to determine what is happening with my server. i have noticed that a couple of times a day, one IP number will be trying to break in. here is an example:

 tcp        0      0 199.231.184.26:3306        119.10.1.206:1772          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:3611          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:3895          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:1925          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:4618          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:2429          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:4600          TIME_WAIT
 tcp        0      0 199.231.184.26:3306        119.10.1.206:2133          TIME_WAIT

is there a way, perhaps in csf, to stop an IP number from trying to access so many ports at any given time?

thank you all for your ongoing help.

Hi,

I’m not sure about CSF (never used it) but I’m sure you can, sorry I can’t be more helpful.

I do know, however, that the port in the 3rd (4th?) column is the port used by MySQL servers generally. Is it possible that IP corresponds with a remote host entry for a database?

-Dustin

thanks dustin - usually i see port 80 not port 3306

for now, i have a php job running every two seconds calling netstat - and if i see more than 20 connections scanning all those ports, i issue a csf --tempdeny (–denytemp??) command.

but i am hoping for a better solution!