I received a message that my Linode's inbound traffic was exceeding a threshold. How do I check this traffic to locate the source?
Linode
Linode Staff
I received an email notifying me of aN inbound traffic exceeding the warning threshold set in settings. Is it possible to find out if there was an influx from a certain IP range?
2 Replies
watrick
Linode Staff
Linode does not log traffic records for Linodes, so this would be information that we could not provide. The notification that you received is the one that can be enabled and configured through the specific Linode's dashboard in the Cloud Manager.
If you want to change the threshold for the notification or turn it off completely, you can do that by following the instructions in our Configure Email Alerts guide.
When it comes to finding out where the traffic originated from after the fact, this can be a little harder. This is especially true depending on what services you're running on your Linode, and how those services log network activity.
Web servers generally have their access logs in /var/log/$webServerDirectory/access.log. There's also var/log/auth.log, which will show attempts to access the Linode itself. For those who haven't reviewed service logs before, there's a helpful Community Questions post that covers here: How do I check my server's log files?
If you identify some malicious access attempts, then I would recommend setting up Fail2Ban on your Linode, in addition to working through the Securing Your Server guide.
You can also set up a firewall. There are a couple of options here, depending on how you want to mitigate unwanted traffic:
- Linode's Cloud Firewalls
- Control Network Traffic with iptables
iptable wrapper packages like UFW (Uncomplicated Firewall or - FirewallD (for CentOS
Hello,
The options here may help you determine future use of traffic, once some setup is done.
If you're using systemd version 235 and greater, and a Linux kernel of version 4.11 or above, you can also enable IP Accounting for individual services, or as a default option within the systemd configuration file, located at /etc/systemd/system.conf. To enable it as a default option for all systemd services, edit the mentioned file and either add, modify, or uncomment the DefaultIPAccounting option, which should read like the following:
DefaultIPAccounting=yes
You can also enable this in individual systemd service files within the service section of the file. An example might be this:
[Service]
IPAccounting=yes
To then check the status of any individual service, apache for example, run the following command:
sudo systemctl status httpd
Within the information presented, you should be able to see the amount of inbound and outbound traffic for that service.
For anything that isn't running in a systemd service, you may be able to use nftables to add inblund and outbound rules to the firewall, monitoring traffic coming and going to various ports on your server.
For more information about the systemd method I mentioned, you can read this article, and to learn more about monitoring traffic with nftables, this can help you learn about nftables counters, and this should help you learn a simple ruleset for using nftables.
Blake