Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
monitoring eth0 with bmon confirms that there's generally around 200-500 packets coming in per second and 20-400kbps RX at different times.
vnstat shows that yesterday I had 10.77GB alone - this is not a heavy traffic server, as the 15MB out shows.
Looking at 'netstat -an' shows no unusual or persistent connections, syslog shows the usual iptable rules but nothing that could generate so much traffic. Apache access logs also don't show anything unusual.
I'm having a hard time tracking down what might be causing all this incoming data and other people have also had a look on the system without finding any possible cause.
The server runs apache2, mailman, postfix, courier, sshd, smtpd, and mysql, I've pasted the iptables rules below, just in case I missed something there.
I'm basically at a loss on how to track down the cause of the incoming data and would like any input or suggestions as to what I should do next. I've tried iftop but it won't display anything for some reason.
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 8 TTL-Match name: SSH side: source
tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: SSH side: source
DROP all -- 118.67.190.37 anywhere
DROP all -- ctx1.macleoddixon.com anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:8008
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
LOG all -- anywhere anywhere LOG level debug prefix `IPTABLES-IN Default Drop: '
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Who else is on the server ? It's quite possible to generate large incoming traffic if somebody is using wget or ftp to transfer files.
Automatic updates could pull that kind of bandwidth too.
You say "as the 15MB out shows" but I don't see 15MB anywhere.
Are you losing GB of space on the disks ? If not it could be MRTG that's not reporting correctly or reporting on the wrong thing.
Yeah, I own the server and all domains on it.
Disk space history shows no increase in usage that isn't expected, and especially not to that extent (10GB a day I'd notice)
mrtg also plots diskspace usage and there's no increase in storage usage that coincides with the increase in incoming traffic.
I've also tried stopping apache, mailman, postfix, courier, and mysql - basically every service except ssh and am still getting a constant 40kbps in, which can go up to 400kbps at times\
I assume I shouldn't expect a ssh session to transmit that much.
I would suggest that MRTG or vnstat is not showing the true picture. Are you positive that the vnstat figure was for a day and not cumulative for a different period ?
this is the output of vnstat which I just ran now - I ran dumpcap, but I don't really know enough to decipher the output with tcpdump and to see what, if anything, is out of place.
mrtg has always been accurate up to a certain point, when incoming traffic spiked
I've test my mail server for relay via abuse.net and it reports it to be secure, so I am guessing it's incoming spam
Other blocks with a lot of empty data start with HTML markup, but not with HTML that would appear on my server, like urls from the bbc.co.uk and dooley.boards etc
Run ls -l /var/log and see how big the maillog files are. If they are huge, then incoming spam is a good probability.
You might find some ip addresses worth blocking too. The stuff with html in might be html email. I can't see how incoming traffic could be html based otherwise. Unless you have some kind of aggregator running on your site (php ?)
running tail -f /var/log/maillog might show up the culprits too.
Thanks smoker.
I'll keep an eye on the mail log and block any repeat offenders
I also found out that the company running the servers are having issues with their bandwidth monitoring software which may also be the cause of the unusual high traffic.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.