10

I have been warned that my server broke its transfer limit. I thougt that my Tor node became popular so I chose to disable it this month (not the best choice for the community but I need to go down). Then I noticed that the server transferred around 4GBs this night. I have checked Apache logs with Awstats, no relevant traffic (and I don't host so popular sites there). I have checked mail logs, no one tried to send garbage. I have checked messages logs and found tons of these

Apr 29 10:17:53 marcus sshd[9281]: Did not receive identification string from 85.170.189.156
Apr 29 10:18:07 marcus sshd[9283]: Did not receive identification string from 86.208.123.132
Apr 29 10:18:24 marcus sshd[9298]: Did not receive identification string from 85.170.189.156
Apr 29 10:18:39 marcus sshd[9303]: Did not receive identification string from 86.208.123.132
Apr 29 10:18:56 marcus sshd[9306]: Did not receive identification string from 85.170.189.156
Apr 29 10:19:11 marcus sshd[9309]: Did not receive identification string from 86.208.123.132
Apr 29 10:19:18 marcus sshd[9312]: Did not receive identification string from 101.98.178.92
Apr 29 10:19:27 marcus sshd[9314]: Did not receive identification string from 85.170.189.156
Apr 29 10:19:41 marcus sshd[9317]: Did not receive identification string from 86.208.123.132
Apr 29 10:20:01 marcus sshd[9321]: Did not receive identification string from 85.170.189.156
Apr 29 10:20:13 marcus sshd[9324]: Did not receive identification string from 86.208.123.132
Apr 29 10:20:32 marcus sshd[9327]: Did not receive identification string from 85.170.189.156
Apr 29 10:20:48 marcus sshd[9331]: Did not receive identification string from 86.208.123.132
Apr 29 10:21:07 marcus sshd[9336]: Did not receive identification string from 85.170.189.156
Apr 29 10:21:20 marcus sshd[9338]: Did not receive identification string from 86.208.123.132
Apr 29 10:21:35 marcus sshd[9341]: Did not receive identification string from 85.170.189.156
Apr 29 10:21:51 marcus sshd[9344]: Did not receive identification string from 86.208.123.132
Apr 29 10:22:06 marcus sshd[9349]: Did not receive identification string from 85.170.189.156
Apr 29 10:22:23 marcus sshd[9353]: Did not receive identification string from 86.208.123.132
Apr 29 10:22:39 marcus sshd[9359]: Did not receive identification string from 85.170.189.156
Apr 29 10:22:54 marcus sshd[9361]: Did not receive identification string from 86.208.123.132
Apr 29 10:23:10 marcus sshd[9367]: Did not receive identification string from 85.170.189.156
Apr 29 10:23:29 marcus sshd[9369]: Did not receive identification string from 86.208.123.132
Apr 29 10:23:45 marcus sshd[9375]: Did not receive identification string from 85.170.189.156
Apr 29 10:24:10 marcus sshd[9387]: Did not receive identification string from 86.208.123.132
Apr 29 10:24:16 marcus sshd[9388]: Did not receive identification string from 85.170.189.156

Every few seconds a bot is trying to hack my SSH, which is impossible because I require pubkey authentication. My question is: can this traffic, at this frequency, consume 4GBs (let's say 3.5) in 10 hours of continuous attack?

I have changed my SSH port and stopped these attacks, but I'm unsure about my network consumption. I don't have services out of control running -my firewall is kinda restrictive-, or share the server with someone abusively doing P2P or whatever. My concern is to go below 400GB/month.

Any tips?

usr-local-ΕΨΗΕΛΩΝ
  • 2,339
  • 7
  • 33
  • 50

3 Answers3

16

4 GB is possible, but very unlikely considering the attack rate. I suggest installing OSSEC, it detects break in attempts and blocks the IP automatically for a certain time out.

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
14

If these are the cause of the bandwidth usage then the bandwidth is already consumed by the time you deal with them on your system. You can use a tool like iptraf to give you a breakdown of what's happening on each interface/port and then you can take appropriate action based on facts.

Antoine Benkemoun
  • 7,314
  • 3
  • 41
  • 60
user9517
  • 114,104
  • 20
  • 206
  • 289
4

No, these once-per second connection attempts themselves are not going to add up to 4GB in ten hours. Do you think you could download a 4GB file in 10 hours by getting getting a tiny packet once a second? There are 3600 seconds in an hour, so if you get a kilobyte a second for ten hours, that would be 36000 Kb, or 36 megabytes.

Your bandwidth is measured according to what goes down the pipe from your provider to your external router, not what reaches your server. You have to look at the crap that isn't reaching your server, that most external piece of equipment is rejecting.

As far as what does reach your server, you cannot rely on application logs. Even packets that are silently dropped by the local firewall are bandwidth. Interface stats (shown by ifconfig) will tell you Tx/Rx bytes.

Kaz
  • 487
  • 2
  • 11
  • Not sure. From my point of view, log messages show that clients opened a socket to port 22 but were rejected because "what they transmitted" was not recognized as proper SSH handshake. I didn't want to wiretap port 22 to see the actual payload that the scanners sent, but in theory they could send tons of garbage until SSH drops. The question is: when does openSSH drops an invalid handshake? Second, I spent a night with Tor disabled and traffic still increased (Apache didn't show significative traffic), when reconfigured fail2ban traffic almost stopped – usr-local-ΕΨΗΕΛΩΝ Apr 30 '12 at 10:43
  • 1
    Let me rephrase a bit, just in case. If I wanted to drain 4GBs of bandwidth from a server I could make a botnet that opens HTTP connections and sends unlimited POST payloads for each request. Logs will show that failed requests occur with low rates, but each is extremely heavy. But this starts to lose sense. I have been familiar with SSH scans ("failed authentication for root, admin...") because their objective is to take control of the node. Why an attacker would mind draining bandwidth via SSH? Doesn't make sense. Unless someone hates Tor nodes... – usr-local-ΕΨΗΕΛΩΝ Apr 30 '12 at 10:53