Page 2 of 2

Re: High inbound traffic - which logs to check?

Posted: Fri Jun 12, 2009 10:01 am
by jaoudestudios
I dont think so, but I can check as I have a monitoring service that keeps track of my server.

Re: High inbound traffic - which logs to check?

Posted: Fri Jun 12, 2009 10:06 am
by jaoudestudios
Results look fine, no down time...
Monitoring results of web server
Monitoring results of web server
results.png (58.07 KiB) Viewed 2732 times
I did go through and filter by errors, but there was nothing.

Re: High inbound traffic - which logs to check?

Posted: Sun Jun 14, 2009 6:19 am
by VladSun
Yeah, looks like a SSH bruteforce attack.
Take a look at:
viewtopic.php?f=30&t=84234 (the SSH part)

and hope that dropping packets will stop the SSH attack traffic (i.e. the bot will stop bruteforcing after several connection attempts fail).
If not, try to set the target to REJECT instead of DROP:

Code: Select all

$ipt -A SSH -p tcp -m recent --hitcount 2 --name SSH --update --seconds 60 -j REJECT

Re: High inbound traffic - which logs to check?

Posted: Sun Jun 14, 2009 2:28 pm
by jaoudestudios
Thanks VladSun.

I will go through the logs again tomorrow, but it does appear to have stopped. I am curious by your REJECT instead of DROP, so I will look into do that anyway.

Thanks again everyone!