High inbound traffic - which logs to check?

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: High inbound traffic - which logs to check?

Post by jaoudestudios »

I dont think so, but I can check as I have a monitoring service that keeps track of my server.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: High inbound traffic - which logs to check?

Post by jaoudestudios »

Results look fine, no down time...
Monitoring results of web server
Monitoring results of web server
results.png (58.07 KiB) Viewed 2733 times
I did go through and filter by errors, but there was nothing.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: High inbound traffic - which logs to check?

Post by VladSun »

Yeah, looks like a SSH bruteforce attack.
Take a look at:
viewtopic.php?f=30&t=84234 (the SSH part)

and hope that dropping packets will stop the SSH attack traffic (i.e. the bot will stop bruteforcing after several connection attempts fail).
If not, try to set the target to REJECT instead of DROP:

Code: Select all

$ipt -A SSH -p tcp -m recent --hitcount 2 --name SSH --update --seconds 60 -j REJECT
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: High inbound traffic - which logs to check?

Post by jaoudestudios »

Thanks VladSun.

I will go through the logs again tomorrow, but it does appear to have stopped. I am curious by your REJECT instead of DROP, so I will look into do that anyway.

Thanks again everyone!
Post Reply