Identifying unknown traffic on linode

SSH to your sql-001 linode and try some netstat magic, for instance netstat –inet will show you current connections.

Do you have a firewall allowing only intranet traffic? Did you configure MySQL to listen only at intranet IPs?

Also, instructing the firewall to log activities will give you a better picture as well.

I have the server setup with only mysql connections allowed from the web server ip address.

Looking at the netstat output

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 sql-001:ssh ip-174-142-75-230:43221 ESTABLISHED

There is another entry which is for me, looks like some one if trying to log onto the server via SSH.

Would fail2ban stop these sort of attacks? I don't have a static IP address at home so cant lock SSH to a specific IP.

Just installed fail2ban and the connections have dropped right off.

Thanks for the help Azathoth

Just move SSH to another port, use public key authentication and you don't need fail2ban, you'll be safer anyways.

@Azathoth:

Just move SSH to another port, use public key authentication and you don't need fail2ban, you'll be safer anyways.

Changing your SSH port doesn't make you any safer.

@Guspaz:

Changing your SSH port doesn't make you any safer.

But it does save you some CPU and log spam.

@Guspaz:

Changing your SSH port doesn't make you any safer.

It does actually, it makes your SSH invisible to automated bruteforce bots.

But my whole sentence was using pubkey auth (and SSH on different port) that makes it (significantly) safer.