Incoming traffic load very high, help needed.
First I want to say thanks to everyone at linode, I've been using the service for over a year and I love it!
Now to my problem:
February is only three days old, and already I have incoming traffic accumulated at 2.16 GB, and peaks of sustained incoming traffic at over 1 Mbit/second. (Accumulated bandwidth out is only 42 MB!)
I first suspected an SSH brute force-type attack so I changed from the standard port 22 to a new one (I checked auth.log and there were a lot of different "Invalid user").
However, since I did that there seems to have been an increase in incoming traffic. The only other things I have accessible over the network are Apache (port 80) and proftpd (port 21). I can't really restrict access to apache I guess, and the proftpd logs show no signs of any failed login attempts.
Any suggestions to what I can do to fix this? It's eating up bandwidth that I pay for…
13 Replies
-A INPUT -m limit --limit 24/second --limit-burst 32 -p tcp -m multiport --dports http,https -j ACCEPT
-A INPUT -p tcp -m multiport --dports http,https -m comment -j DROP
You might need to tweak the the numbers, but basically this will allow any 1 host to make 24 connections per second on port 80/443, and burst to 32/sec. Anything over that will be discarded.
192.168.133.77:mysql to 192.168.133.75:random port
However, In my php scripts I connect to mysql over localhost and my mysql server is configured to only accept connections on localhost.
Is the data i send over the localhost connection counted as incoming traffic to the server all of a sudden?
My accumulated incoming bandwidth is now 2.55 GB which is about 4% of my monthly allotment.
nevertheless, you should find out why that guy is connecting to your DB (or trying to).
why not open a support ticket and have the ops find out who that IP belongs to and figure out what's going on.
@bes:
When I run iftop it seems that only two IP addresses are involved in the larger chunks of data transfer:
192.168.133.77:mysql to 192.168.133.75:random port
I just started getting these today, opening support ticket now.
James
i don't see anything like this but i don't have a mysql open (esp. not with a port open to the outside)
Jeff