Hi,

The past 2 days my bandwidth has increased by about 180MB even though I haven't actually used any - my site is still down. Is this normal (from people probing my ports etc) or is this possbily an attack on the server? Overnight the bandwidth went up by 80MB while I slept.

Currently it is secured with a specific SSH port and connection by keys only. There are some crecords redirecting mail to gmail.

What's showing on the bandwidth graph in linode manager?

Well this is really bizarre, and I don't know why I didn't check this earlier, but it shows no use on the graph whatsoever? Or none that registers. I don't understand.

Even worse - its'gone up 60MB since I wrote this this morning!! Again - NOTHING on the graphs. Am I under attack and should I open a ticket on this?

You totally sure that's not traffic on the lo(oopback) interface?
Paste output of ifconfig -a.

And it very well can be random portscans and bot-knocks, 60MB isn't much...

Could you explain this loopback for me please? Here is the output from ifconfig -a:

root@li190-127:/etc/init.d# ifconfig -a
dummy0 Link encap:Ethernet HWaddr 1a:09:3d:21:bc:16
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth0 Link encap:Ethernet HWaddr fe:fd:b2:4f:86:7f
inet addr:178.79.134.127 Bcast:178.79.134.255 Mask:255.255.255.0
inet6 addr: fe80::fcfd:b2ff:fe4f:867f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:55679 errors:0 dropped:0 overruns:0 frame:0
TX packets:20397 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:60903275 (60.9 MB) TX bytes:2290751 (2.2 MB)
Interrupt:28

gre0 Link encap:UNSPEC HWaddr 00-00-00-00-66-65-34-66-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ip6tnl0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1460 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:240 errors:0 dropped:0 overruns:0 frame:0
TX packets:240 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:292248 (292.2 KB) TX bytes:292248 (292.2 KB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

teql0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@li190-127:/etc/init.d#

Well, Loopback is the virtual netowrk card that's used for "talking to yourself" via 127.0.0.1 (actually, all of 127.x.x.x). But, your ifconfig output says

that only 300 KB went through it.

Now, your main Ethernet interface,

had 60MB of incoming data since last reboot. And 2.2 MB of outgoing data.

So, you either ran a few apt-get installs, urpmis, or whatever command your distro uses for software installation and it downloaded the packages, OR you uploaded a few files, OR there was quite a bunch of bots trying to knock on your door. Check out /var/log/auth.log for SSH password probes, maybe.

Well, I can see lots of SSH attempts failing, but there are gaps in between, which I assume is fail2ban kicking in. If they are doing other stuff though I can't see it.

Can't believe it only took a couple of days for the russians to find my server!

More likely Chinese. And the botnets hit all random addresses they can roll... usually first attempts happen a few minutes after deployment. Change your SSH port to some non-standard one using the in /etc/ssh/sshd_config or deal with the login attempts.

SSH port already on something different, plus have it on keys only, UFW setup to default deny and only the absolute minumum ports allowed, with fail2ban running hopefully that will keep them out.

Thanks for the help