LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Network interface spammed (https://www.linuxquestions.org/questions/linux-networking-3/network-interface-spammed-4175476780/)

csDraco_ 09-11-2013 04:13 PM
Network interface spammed
 
This is more of a sanity check question here ..

Can one limit the received bytes on a public interface (that needs to stay public)?

My "RX bytes" counter is at 2.5GiB and growing after just 2 days, without any legitimate traffic to my site, that is not "officially" online yet, in fact I don't even have a domain name for my server yet; just a public IP.

I managed to put a near stop to my "TX bytes" by adding malicious IPs to my iptables, turning off my httpd service and also dropping all port 80 packets.

But they keep on coming and coming (packets) with no end in sight on nearly all ports and mostly port 80, even though I'm dropping them with iptables from all IPs, and my RX bytes counter is still growing. Though at a slower rate but still about 50MB/hour.

business_kid 09-12-2013 09:06 AM
That is odd. Sanity check failed. I had a box in a dmz (and so accessible) and I got stupid stuff because I had an ssh server on it, but nothing like what you are talking about. I got people running nmap, then a script trying to log in with names picked at random from the Flintstones :-/. I wasn't running iptables at all. But I was in no way secure, so I did things fast. I had put it there for a few days, and forgot to take it off.

If you're logging malicious IPs I would try and get the traffic blocked upstream of you. I'm sure the guys who run honeypots would love your IP!

csDraco_ 09-12-2013 10:20 AM
Blocking the traffic upstream sure would be nice, its like a zoo out there!

I had those brute force ssh attacks too within 2 days of going online if I remember correctly. Changing the default port to a much higher one fixed that quick.

For now I've added a rule to drop all access besides the IP I use to access my server; and incoming traffic on my public interface has come down to about 4 Mbytes an hour. Its been going down gradually to 4Mb so looks like bot farms are loosing interest.

But I still need to run my httpd on port 80, and unblock it one day .. and spammers know it.

Before I go public again with my port 80, I'll either subscribe to an ip blacklist, or install fail2ban, or both!

Cheers, and thanks for the sanity check business_kid ;)


All times are GMT -5. The time now is 10:33 AM.