Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Is this normal?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is this normal?

DevoniusDevonius Member
edited November 2014 in Help

I have buy (1GB ram) vps with 7 IPs from xvmlabs, and I host 7 small blog there, i found my BW "out" is about 20k-60k bits per second.

and my partial netstat -s like below

Tcp:

1643 active connections openings

15999 passive connection openings

26 failed connection attempts

1161 connection resets received

1 connections established

115694 segments received

140491 segments send out

1331 segments retransmited

3 bad segments received.

1225 resets sent

is it normal for 7 small blog hosted there? I'm afraid my server hacked and ddosing other, but i don't find any suspicious script on "netstat -antup"

any idea?

Comments

  • Well I can say this, it is definitely not normal if your not the one connected to it, with the 1 connection established.
    Please check your auth.log file for more details on who has been logging into your server besides you.
    your auth.log is in /var/log/auth.log
    because your auth.log will show you who has been logging into your server, including you, so look in there and it will tell you who tried to get into your server, and who was successful into getting in your server, etc.
    please pm me and we will talk more about this.

    Thanked by 1Devonius
  • May be check the access log to see if your site is flooded with visitors?

    And hide it behind Cloudflare, they take care a lot of unwanted visits.

    Thanked by 1Devonius
  • FalzoFalzo Member
    edited November 2014

    netstat -s is a mostly upcounting statistic... did you mention for what uptime this should tell anything about? why one should think, this indicates something wrong?

    what about mine? ;-)

        2965889 active connections openings
        22657125 passive connection openings
        156325 failed connection attempts
        503542 connection resets received
        21 connections established
        680474752 segments received
        687920963 segments send out
        3948230 segments retransmited
        13689 bad segments received.
        2561196 resets sent
    

    anything bad in this? (counting 210 days uptime by now)

    the established connections are the overall tcp connections, so for sure this may be more than one, at least if you want some visitors connect to your webserver to be able to read your blogs...

    if 20-60kbit/s is correct this will result in about 200-600 MB outgoing traffic per day, thats nothing more than a bit googlebots hopping around your blogs.

    get some nice statistics like awstats for your blogs to see if the traffic-accounting matches those numbers and who is visiting your sites.

    PS: maybe look at your traffic via iftop to see live whats going on ;-)

    Thanked by 1Devonius
  • DevoniusDevonius Member
    edited November 2014

    @timnboys said:
    Well I can say this, it is definitely not normal if your not the one connected to it, with the 1 connection established.
    Please check your auth.log file for more details on who has been logging into your server besides you.
    your auth.log is in /var/log/auth.log
    because your auth.log will show you who has been logging into your server, including you, so look in there and it will tell you who tried to get into your server, and who was successful into getting in your server, etc.
    please pm me and we will talk more about this.

    I use "last" command and only my ip shown in there,

    @Falzo said:
    netstat -s is a mostly upcounting statistic... did you mention for what uptime this should tell anything about? why one should think, this indicates something wrong?

    when I posted this thread, my uptime only 10 hours, because just I reboot my vps yesterday.

    @zhuanyi said:
    May be check the access log to see if your site is flooded with visitors?

    And hide it behind Cloudflare, they take care a lot of unwanted visits.

    it's only 40-60 visits / days for all 7 blogs,

    if 20-60kbit/s is correct this will result in about 200-600 MB outgoing traffic per day, thats nothing more than a bit googlebots hopping around your blogs.

    so as i mentioned before, I'm afraid my vps ddosing others. but after read this comment then I can breathe easier now. thanks

  • Well I can only tell you to setup monitoring on it, and if solusvm or whatever panel your provider has shows a huge spike in network activity, then I am afraid to say it but yes your vps is ddosing others, because a huge spike in network activity indicates dos, or ddos. but I just want to make sure you know this, don't be looking just with the last command you want to look through the whole auth.log file from where you think ddos started to now(I know it might be long to look through that, but unfortunately that is what it takes to find out if anyone else got into your vps) because the last command will only show you who was the last person logged in(it will not give you a time span of who else could have got in between then and now.)

    Thanked by 1Devonius
  • @timnboys said:
    Well I can only tell you to setup monitoring on it, and if solusvm or whatever panel your provider has shows a huge spike in network activity, then I am afraid to say it but yes your vps is ddosing others, because a huge spike in network activity indicates dos, or ddos. but I just want to make sure you know this, don't be looking just with the last command you want to look through the whole auth.log file from where you think ddos started to now(I know it might be long to look through that, but unfortunately that is what it takes to find out if anyone else got into your vps) because the last command will only show you who was the last person logged in(it will not give you a time span of who else could have got in between then and now.)

    thanks, but "last" command already shown last 2 months (from the first time i purchase this vps) login from my vps.

Sign In or Register to comment.