I am seeing a pretty constant stream of traffic on my network graphs to my sql server linode. Its running mysql and has no web server or anything else on it.



The traffic is not from my web server as they is hardly any activity on it currently, is there a way to identify where the traffic is coming from?

SSH to your sql-001 linode and try some netstat magic, for instance netstat --inet will show you current connections.

Do you have a firewall allowing only intranet traffic? Did you configure MySQL to listen only at intranet IPs?

Also, instructing the firewall to log activities will give you a better picture as well.

I have the server setup with only mysql connections allowed from the web server ip address.

Looking at the netstat output

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 sql-001:ssh ip-174-142-75-230:43221 ESTABLISHED

There is another entry which is for me, looks like some one if trying to log onto the server via SSH.

Would fail2ban stop these sort of attacks? I don't have a static IP address at home so cant lock SSH to a specific IP.

Just installed fail2ban and the connections have dropped right off.

Thanks for the help Azathoth

Just move SSH to another port, use public key authentication and you don't need fail2ban, you'll be safer anyways.

Changing your SSH port doesn't make you any safer.

But it does save you some CPU and log spam.

It does actually, it makes your SSH invisible to automated bruteforce bots.

But my whole sentence was using pubkey auth (and SSH on different port) that makes it (significantly) safer.