All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Q; How to check logs for bandwidth usage? Someone sucked 1TB of BW in 6hrs
Background: New KVM. Clean install of Ubuntu 16.04 & LEMP stack (following methodical procedures on Digitalocean tutorials).
UFW (rules restricted to Port 80 & possibly 443)
Separate server blocks created (for eventual multisite w/LetsEncrypt).
I installed WP and pointed 3 Domains to server but none were active (other than the temp page in WP).
Generated SSL key & got certbot working on all 3 domains (greying-out A record in CloudFlare)
6hrs later, I went from 2GB of usage to 1TB.
Who would purloin that bandwidth? A gamer, bitminer?
Looking for suggestions on best way to (after-the-fact) analyze and determine how it (breach?) occurred and what I can do to remedy.
I did not have any 3rd party programs pre-installed to monitor traffic.
TIA
Comments
cat access_log | awk '{print $1}' | sort | uniq -c | sort -n | tail
iftop ?
if it might be ongoing that is
where did you read 1TB? it can be a shared network and this was UDP traffic etc ... i also get shocked when i see someting like 17GB from vnstat and provider confirmed its normal ..... yes i also had firewall running and ports closed and get the same sucky.
anyway... check the above 2 and ask your providers for the sucky thief.
@Cassa - response was:
cat: access_log: No such file or directory.
@Falzo - Viewing iftop now. Though to me, the info scrolling on the putty screen looks like the the matrix.
Only thing I see out of the ordinary is a destinationfrom my IP (US) to
beiramar173.static.host.gvt.net.br
Update: I tightened-up some of the Cloudflare settings and that Brazil IP disappeared.
@ehab Yeah first thing I did was create a ticket (required to get unsuspended) and also mentioned that "I" was not using any bandwidth and if they (my host) could see/determine the "sucky thief" (IP destination, etc).
HOST simply claims (and I have no reason to doubt them) I exceeded my monthly max of 1TB.
They charged me a few bucks to reactivate and grant me modest additional bandwidth but provided a very terse response to my inquiry about "what IP" was the destination. They simply said to look at the usage monitor on the dashboard graph (basically redlined for 5hrs until suspended) but graph does not provide IP (or other info from what I can gather).
sorry to hear you had to pay.... if i was you i would move to another provider.
I grabbed acct during LET BF-CMonday. "I" likely screwed-up, (I'm obviously not a network/sys guy).
I would have appreciated just a teensy bit of input from the Tier 2 level tech who intially suspended my account stating in ticket for me to payup or remain suspended. Maybe even expecting a courtesy pass because this was evidently a breach of some sort.
Per their network interface, they were putting out a few other fires and busier than normal this morning
So, bump the ticket and ask if they can provide any more information when they can get to it. It's good that you see you don't know what's going on, but you're not the only one they're dealing with. Any one of them worth their salt will be happy to tell you what they can- when they can.
My advice is to learn a bit more administration to go with that KVM. Some prefer OpenVZ because it takes out the kernel-and-lower-network level work, but you still need to know how Apache/WordPress/iptables/etc work.
Re: Bump ticket. I considered it but I figure for $20/yr they ain't providing a lot of support. My intentions mirror your second suggestion; learn a little more admin. Ps: I also have an idle OVZ.
Busy with life this very moment but later this evening will see if there are any logs that stored/captured/retained the info.
Also determine if I have to reinstall OS or Grep-around to see if any backdoors were installed. (While my newb comments may be amusing, I'm genuinely wondering if they had root access and created another user (they didn't) or created some other means to revisit).
My guess is that the tutorial you followed was a bit outdated and someone hammered you through that, or for some reason decided to brute-force your ssh/apache. Without checking your logs (look under /var/log), it's really difficult to offer anything else.
Yeah, sometimes strange stuff happens. I've actually become used to lowering SYN-ACK retries and setting a firewall rule to drop SYN packets with low source ports on every box i install after some morons seemed to have discovered the wonders of reflected SYN-ACK flood and hammered seemingly every server the could find to the point it almost became a SYN flood. It's a wild wild world with tons of noise out there on the internet...
I inquired last night, (asking as politely as a highschool chess-club president would ask a cheerleader to the prom).
I also left a huge OUT, stating "If this inquiry/request is out-of-line or beyond the level of service for a budget KVM, (which I completely understand) please disregard."
They took me up on the OUT, responding: I'm sorry - but this is not something we generally look into.
Tech did provide an enlightening & informative (to me) suggestion. "This could be hacked, in which case I'd look at p*s aux carefully and see if there are any anomalies."
Basically 'check your running processes'. Not the most helpful- but it would be interesting to know what the hell happened.
The OP clearly doesn’t have skills required to manage the service. How is the provider at fault ?
If you pay for 100 carrots you cannot take 200 and say that you weren’t counting. It was the OP job to prevent it, simple as that.
true, the OP doesn't have the skills to investigate further and should get a managed server if he will use it for production. I asked him to move to another because they didn't assist or offer paid assistance to help.