High inbound traffic - which logs to check?
Moderator: General Moderators
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: High inbound traffic - which logs to check?
I dont think so, but I can check as I have a monitoring service that keeps track of my server.
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: High inbound traffic - which logs to check?
Results look fine, no down time...
I did go through and filter by errors, but there was nothing.
Re: High inbound traffic - which logs to check?
Yeah, looks like a SSH bruteforce attack.
Take a look at:
viewtopic.php?f=30&t=84234 (the SSH part)
and hope that dropping packets will stop the SSH attack traffic (i.e. the bot will stop bruteforcing after several connection attempts fail).
If not, try to set the target to REJECT instead of DROP:
Take a look at:
viewtopic.php?f=30&t=84234 (the SSH part)
and hope that dropping packets will stop the SSH attack traffic (i.e. the bot will stop bruteforcing after several connection attempts fail).
If not, try to set the target to REJECT instead of DROP:
Code: Select all
$ipt -A SSH -p tcp -m recent --hitcount 2 --name SSH --update --seconds 60 -j REJECTThere are 10 types of people in this world, those who understand binary and those who don't
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: High inbound traffic - which logs to check?
Thanks VladSun.
I will go through the logs again tomorrow, but it does appear to have stopped. I am curious by your REJECT instead of DROP, so I will look into do that anyway.
Thanks again everyone!
I will go through the logs again tomorrow, but it does appear to have stopped. I am curious by your REJECT instead of DROP, so I will look into do that anyway.
Thanks again everyone!