Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Q; How to check logs for bandwidth usage? Someone sucked 1TB of BW in 6hrs
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Q; How to check logs for bandwidth usage? Someone sucked 1TB of BW in 6hrs

BlazingBlazing Member
edited December 2017 in Help

Background: New KVM. Clean install of Ubuntu 16.04 & LEMP stack (following methodical procedures on Digitalocean tutorials).
UFW (rules restricted to Port 80 & possibly 443)

Separate server blocks created (for eventual multisite w/LetsEncrypt).
I installed WP and pointed 3 Domains to server but none were active (other than the temp page in WP).

Generated SSL key & got certbot working on all 3 domains (greying-out A record in CloudFlare)

6hrs later, I went from 2GB of usage to 1TB.

Who would purloin that bandwidth? A gamer, bitminer?

Looking for suggestions on best way to (after-the-fact) analyze and determine how it (breach?) occurred and what I can do to remedy.

I did not have any 3rd party programs pre-installed to monitor traffic.
TIA

Comments

  • cat access_log | awk '{print $1}' | sort | uniq -c | sort -n | tail

    Thanked by 1Blazing
  • FalzoFalzo Member
    edited December 2017

    iftop ?

    if it might be ongoing that is

    Thanked by 1Blazing
  • where did you read 1TB? it can be a shared network and this was UDP traffic etc ... i also get shocked when i see someting like 17GB from vnstat and provider confirmed its normal ..... yes i also had firewall running and ports closed and get the same sucky.

    anyway... check the above 2 and ask your providers for the sucky thief. :)

    Thanked by 1Blazing
  • BlazingBlazing Member
    edited December 2017

    @Cassa - response was:

    cat: access_log: No such file or directory.

    @Falzo - Viewing iftop now. Though to me, the info scrolling on the putty screen looks like the the matrix.
    Only thing I see out of the ordinary is a destinationfrom my IP (US) to
    beiramar173.static.host.gvt.net.br

    Update: I tightened-up some of the Cloudflare settings and that Brazil IP disappeared.

  • BlazingBlazing Member
    edited December 2017

    @ehab Yeah first thing I did was create a ticket (required to get unsuspended) and also mentioned that "I" was not using any bandwidth and if they (my host) could see/determine the "sucky thief" (IP destination, etc).

    HOST simply claims (and I have no reason to doubt them) I exceeded my monthly max of 1TB.

    They charged me a few bucks to reactivate and grant me modest additional bandwidth but provided a very terse response to my inquiry about "what IP" was the destination. They simply said to look at the usage monitor on the dashboard graph (basically redlined for 5hrs until suspended) but graph does not provide IP (or other info from what I can gather).

    Thanked by 1ehab
  • sorry to hear you had to pay.... if i was you i would move to another provider.

  • BlazingBlazing Member
    edited December 2017

    I grabbed acct during LET BF-CMonday. "I" likely screwed-up, (I'm obviously not a network/sys guy).

    I would have appreciated just a teensy bit of input from the Tier 2 level tech who intially suspended my account stating in ticket for me to payup or remain suspended. Maybe even expecting a courtesy pass because this was evidently a breach of some sort.

    Per their network interface, they were putting out a few other fires and busier than normal this morning

  • So, bump the ticket and ask if they can provide any more information when they can get to it. It's good that you see you don't know what's going on, but you're not the only one they're dealing with. Any one of them worth their salt will be happy to tell you what they can- when they can.

    My advice is to learn a bit more administration to go with that KVM. Some prefer OpenVZ because it takes out the kernel-and-lower-network level work, but you still need to know how Apache/WordPress/iptables/etc work.

    Thanked by 1Blazing
  • @WSS said:
    So, bump the ticket and ask if they can provide any more information when they can get to it.

    My advice is to learn a bit more administration.

    Re: Bump ticket. I considered it but I figure for $20/yr they ain't providing a lot of support. My intentions mirror your second suggestion; learn a little more admin. Ps: I also have an idle OVZ.

    Busy with life this very moment but later this evening will see if there are any logs that stored/captured/retained the info.

    Also determine if I have to reinstall OS or Grep-around to see if any backdoors were installed. (While my newb comments may be amusing, I'm genuinely wondering if they had root access and created another user (they didn't) or created some other means to revisit).

  • My guess is that the tutorial you followed was a bit outdated and someone hammered you through that, or for some reason decided to brute-force your ssh/apache. Without checking your logs (look under /var/log), it's really difficult to offer anything else.

    Thanked by 1Blazing
  • @ehab said:
    where did you read 1TB? it can be a shared network and this was UDP traffic etc ... i also get shocked when i see someting like 17GB from vnstat and provider confirmed its normal ..... yes i also had firewall running and ports closed and get the same sucky.

    Yeah, sometimes strange stuff happens. I've actually become used to lowering SYN-ACK retries and setting a firewall rule to drop SYN packets with low source ports on every box i install after some morons seemed to have discovered the wonders of reflected SYN-ACK flood and hammered seemingly every server the could find to the point it almost became a SYN flood. It's a wild wild world with tons of noise out there on the internet...

    Thanked by 1Blazing
  • @WSS said:
    bump ticket and ask if they can provide any more information when they can get to it.
    Any one of them worth their salt will be happy to tell you what they can- when they can.

    I inquired last night, (asking as politely as a highschool chess-club president would ask a cheerleader to the prom).

    I also left a huge OUT, stating "If this inquiry/request is out-of-line or beyond the level of service for a budget KVM, (which I completely understand) please disregard."

    They took me up on the OUT, responding: I'm sorry - but this is not something we generally look into.

    Tech did provide an enlightening & informative (to me) suggestion. "This could be hacked, in which case I'd look at p*s aux carefully and see if there are any anomalies."

  • Basically 'check your running processes'. Not the most helpful- but it would be interesting to know what the hell happened.

  • ClouviderClouvider Member, Patron Provider

    @ehab said:
    sorry to hear you had to pay.... if i was you i would move to another provider.

    The OP clearly doesn’t have skills required to manage the service. How is the provider at fault ?

    If you pay for 100 carrots you cannot take 200 and say that you weren’t counting. It was the OP job to prevent it, simple as that.

  • @Clouvider said:
    The OP clearly doesn’t have skills required to manage the service. How is the provider at fault ?

    true, the OP doesn't have the skills to investigate further and should get a managed server if he will use it for production. I asked him to move to another because they didn't assist or offer paid assistance to help.

    Thanked by 1Clouvider
Sign In or Register to comment.