[CentOS] Who's eating our bandwidth?

Wed Nov 4 09:16:50 UTC 2009
Niki Kovacs <contact at kikinovak.net>

Hi,

I've recently setup a new server for our public libraries. For the last 
two years, this has been my first "big" job, since it involves 
networking eleven small to medium size public libraries.

There was a hiccup some time ago when the administration hiring me 
wanted to do it on their own, but it took them less than two weeks to 
get the server hacked and lose everything. So they decided to hire me 
back :o)

I've rented a little dedicated server at the french provider Ikoula. 
Really a small thing, a KVM amounting to 1/2 a processor core, 512 MB 
RAM and 25 GB of disk space. Usually there should be no more than like 
ten people working simultaneously on the library management software 
(running atop MySQL).

For the last few days, users reported that the install was "terribly 
slow". I checked, and indeed, the application took quite some time to 
respond.

First thing, I wonder if the configuration I chose is too modest for the 
setup.

Then, I took a peek in /var/log/httpd and the *-access.log files show 
quite some activity. Some haphazard whois on various IP addresses show 
me that these are no library users from around here. Like: Bogota?!? 
Peking?!? And quite some search engines. Since I don't need search 
engines for our application, I'm going to have to find a way to banish 
these.

The log files are not very handy to decipher, so I googled a bit, and I 
think today I'm going to check out AWStats, which seems to be the right 
thing to use in that case.

I'm also wondering about activity on other ports, but here also I'm 
taking stabs in the dark. Probably SSH, but I don't know where eventual 
failed attempts get logged.

I also googled a bit, and I think in this domain, fail2ban will be my 
next experiment.

I have this strange feeling that the next step in the "wise" direction 
consists in describing my ignorance :o)

Any suggestions?

Cheers from the sunny south of France,

Niki