My bandwidth usage is too high!

Use tcpdump to monitor the incoming traffic (it filters out ssh):

tcpdump -i eth0 -n not port 22

Thanks. After stopping all the services, I run it and I saw a lot of traffic in port 25, which I strongly believe it's not normal traffic, and the bw usage was still high.

The computer is now shutdown, and I opened a support ticket. Hopefully I will get an answer soon.

port 25 is SMTP (email)

sure you're not running an open relay, and spammers are relaying through you? sure you're not just seeing a large volume of incoming email?

He does say the traffic is all incoming, but it still could be spam attempts, if he's rejecting the emails after SMTP time. In fact, I wonder if the spam is being queued on the server (along with, perhaps, the bounce messages).

Thanks for the comments. AFAIK, I'm not running an open relay. At least some tests like http://verify.abuse.net/cgi-bin/relaytest says I am not.

Looking at the mail logs, I can see a "normal" amount of spam attempts. That means, I got a logged SMTP connection every 5 seconds, or even longer.

And…

root@ffh2:/var/spool/postfix# postqueue -p

Mail queue is empty

But now I don't know if it is running against SMTP anymore. I'm seeing strange things. For example, from tcpdump:

10:53:09.072144 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43239758:43304918(65160) ack 1697 win 61 10:53:09.119718 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43370078:43435238(65160) ack 1697 win 61 10:53:09.120282 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43500398:43565558(65160) ack 1697 win 61 10:53:09.121022 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43565558:43630718(65160) ack 1697 win 61 10:53:09.121639 IP 192.168.134.122.mysql > 192.168.133.68.39696: P 43630718:43695878(65160) ack 1697 win 61 10:53:09.169717 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43761038:43826198(65160) ack 1697 win 61 10:53:09.170241 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43891358:43956518(65160) ack 1697 win 61 10:53:09.170910 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43956518:44021678(65160) ack 1697 win 61 10:53:09.171509 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44021678:44086838(65160) ack 1697 win 61 10:53:09.171903 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44086838:44151998(65160) ack 1697 win 61 10:53:09.219871 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44151998:44217158(65160) ack 1697 win 61 10:53:09.220474 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44282318:44347478(65160) ack 1697 win 61 10:53:09.221134 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44347478:44412638(65160) ack 1697 win 61 10:53:09.221863 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44412638:44477798(65160) ack 1697 win 61 10:53:09.269265 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44542958:44573366(30408) ack 1697 win 61 Who are those 192.168.x.x? They are not me, as far as I understand. Why do I capture this traffic with tcpdump?

I had my server off for more than 16 hours, and as soon as I boot it, the traffic is there.

Any idea?

Have you used netstat to check ports? As root:

netstat -tp

James

Yes, and nothing unusual. In fact, yesterday I stopped all the services, and traffic was still high.

On the IRC, it seems I am not the only one suffering from this, and it might be a problem in the datacenter.

ferfer i spoke to your on IRC this morning. I've had a response to my support ticket, apparently the problem is with "bandwidth stat collection on newark42".

They've said we won't be charged for bandwidth over-use this month as its a technical fault.

I only went and installed shorewall as soon as I saw my stats! -ah well, been meaning to do it for a while anyway!

Yes, they did the same for my ticket. And for the last ~4 hours everything seems to be ok.

I already had shorewall installed, so I felt pretty confident. And my spam rate, although it is high to my taste, it was not so high to justify that incoming bandwidth.

Anyway, I feel more relaxed now. Hope they can fix it completely soon.