Thanks, I took your advice and installed ntop. I opened up port 3000 just for my ip address, hopefully that's good enough in addition to ntop having a password.
Now I need to learn how to understand all of it's output, I'm off to tutorial land
| Linode Forum https://forum.linode.com/ |
|
| constant IO https://forum.linode.com/viewtopic.php?f=19&t=8046 |
Page 1 of 1 |
| Author: | Ericson578 [ Sun Nov 13, 2011 1:27 pm ] |
| Post subject: | constant IO |
My linode is just a sandbox right now for me to play with things, there shouldn't really be any other traffic than myself visiting. For the first few months my bandwidth IO graphs reflected that, it would be at zero except when I visited or a cron fired off an email. 2 days ago I started getting a sustained 1kb/s in, and 1 out. Now it's up to 1kb/s in and 2 out. I only have a few scattered search engine spiders in my nginx log files, certainly not enough for sustained traffic 24/7. I noticed more ssh hacking attempts, but I've added a few ip addresses to my firewall and most are getting blocked. How can I figure out this spike in outbound network traffic? So far I've viewed netstat -a output (which didn't have anything malicious), and I've checked on the logs to see what's getting updated: Code: ls -alt /var/log Am I being paranoid? Want to make sure my box isn't crapping out spam emails or something worse. |
|
| Author: | obs [ Sun Nov 13, 2011 2:35 pm ] |
| Post subject: | |
Try installing ntop, it has a nice web interface and monitors your traffic you can see what hosts are doing what. |
|
| Author: | Brian Puccio [ Sun Nov 13, 2011 3:27 pm ] |
| Post subject: | |
ntop shows network use, but iotop shows IO, that might be more direct. |
|
| Author: | obs [ Sun Nov 13, 2011 3:40 pm ] |
| Post subject: | |
iotop is for disk usage, they want network usage hence ntop |
|
| Author: | Ericson578 [ Sun Nov 13, 2011 4:57 pm ] |
| Post subject: | ntop |
Thanks, I took your advice and installed ntop. I opened up port 3000 just for my ip address, hopefully that's good enough in addition to ntop having a password. Now I need to learn how to understand all of it's output, I'm off to tutorial land
|
|
| Author: | obs [ Sun Nov 13, 2011 4:58 pm ] |
| Post subject: | |
FYI ntop runs as a daemon in the backgroud (or at least on ubuntu/debian) if you don't want to have it starting up when you boot your linode then remove it with Code: update-rc.d -f ntop remove |
|
| Author: | Brian Puccio [ Mon Nov 14, 2011 1:57 am ] |
| Post subject: | |
obs wrote: iotop is for disk usage, they want network usage hence ntop
Oops, didn't catch that, I saw "i/o" and thought disk "i/o", not network activity. I retract my former comment. |
|
| Author: | Azathoth [ Mon Nov 14, 2011 6:45 am ] |
| Post subject: | |
Aggressive port scanners? If inbound traffic roughly equals outbound my first guess is firewall reject packets. Try changing default policy to drop (no response to invalid inbound) and see if something changes. |
|
| Author: | Ericson578 [ Mon Nov 14, 2011 12:51 pm ] |
| Post subject: | block all the scanners! |
Azathoth wrote: Aggressive port scanners? If inbound traffic roughly equals outbound my first guess is firewall reject packets. Try changing default policy to drop (no response to invalid inbound) and see if something changes.
That sounds like a fantastic idea! I'm using ufw on ubuntu 11.04 as a front end to iptables. The default is deny from all, and here is the ruleset: Code: # ufw status numbered My understanding was these rules and the ufw default of deny all should prevent port scanning network traffice, is there a way for me to check? I'll research how to properly block port scanning, as always any pointers are greatly appreciated. (the open port 3000 is for ntop, recently installed to help me find out my network IO culprit) |
|
| Author: | obs [ Mon Nov 14, 2011 12:55 pm ] |
| Post subject: | |
run Code: iptables -L -n -v It'll output a load of text (which you can put here). Look for lines with DROP or REJECT in them, especially one starting "Chain INPUT" If it says "DROP" then it's being dropped and no response is sent, if it says "REJECT" then it means it's sending notification back. |
|
| Author: | Ericson578 [ Mon Nov 14, 2011 1:03 pm ] |
| Post subject: | iptables output |
There is one reject towards the bottom in the Chain ufw-user-limit section Entire output: Code: # iptables -L -n -v |
|
| Author: | obs [ Mon Nov 14, 2011 1:06 pm ] |
| Post subject: | |
It's not rejects causing your problems since by default you drop packets. Better keep looking! |
|
| Author: | hoopycat [ Mon Nov 14, 2011 1:44 pm ] |
| Post subject: | |
You might need to use 'tcpdump' to capture the traffic over a time period to see what it actually is. 1 kb/sec on a five-minute average is slow enough that it's going to be difficult to measure it statistically. (It's a signal/noise problem... there's some amount of background noise on any network, and you're trying to see if there's a "signal" buried somewhere in there.) My typical approach is to capture tcpdump to a file (tcpdump -n -i eth0 -s 0 -w foo.pcap), let it run for awhile, then use wireshark to analyze it on a local computer. |
|
| Author: | Ericson578 [ Wed Nov 16, 2011 1:17 pm ] |
| Post subject: | Follow up |
Figured it out, with the help of ntop! Turns out it was a columbian IP address that was constantly accessing the site. I'm not sure exactly what they were doing yet (I'm still learning to interpret ntop info), but once I added their IP to the firewall the traffic IO graphs went back to normal (0 except for tiny bumps during cronjob emails to myself and whenever I access the site). Thanks for your help guys! |
|
| Author: | obs [ Wed Nov 16, 2011 1:20 pm ] |
| Post subject: | |
Glad you figured it out, if you need help interpreting the ntop data just ask. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|