[CentOS] Who's eating our bandwidth?

Wed Nov 4 09:39:25 UTC 2009
Fabian Arrotin <fabian.arrotin at arrfab.net>

Niki Kovacs wrote:
> Hi,
> 
> I've recently setup a new server for our public libraries. For the last 
> two years, this has been my first "big" job, since it involves 
> networking eleven small to medium size public libraries.
> 
> There was a hiccup some time ago when the administration hiring me 
> wanted to do it on their own, but it took them less than two weeks to 
> get the server hacked and lose everything. So they decided to hire me 
> back :o)
> 
> I've rented a little dedicated server at the french provider Ikoula. 
> Really a small thing, a KVM amounting to 1/2 a processor core, 512 MB 
> RAM and 25 GB of disk space. Usually there should be no more than like 
> ten people working simultaneously on the library management software 
> (running atop MySQL).
> 
> For the last few days, users reported that the install was "terribly 
> slow". I checked, and indeed, the application took quite some time to 
> respond.
> 
> First thing, I wonder if the configuration I chose is too modest for the 
> setup.
> 
> Then, I took a peek in /var/log/httpd and the *-access.log files show 
> quite some activity. Some haphazard whois on various IP addresses show 
> me that these are no library users from around here. Like: Bogota?!? 
> Peking?!? And quite some search engines. Since I don't need search 
> engines for our application, I'm going to have to find a way to banish 
> these.
> 
> The log files are not very handy to decipher, so I googled a bit, and I 
> think today I'm going to check out AWStats, which seems to be the right 
> thing to use in that case.
> 
> I'm also wondering about activity on other ports, but here also I'm 
> taking stabs in the dark. Probably SSH, but I don't know where eventual 
> failed attempts get logged.
> 
> I also googled a bit, and I think in this domain, fail2ban will be my 
> next experiment.
> 
> I have this strange feeling that the next step in the "wise" direction 
> consists in describing my ignorance :o)
> 
> Any suggestions?
> 
> Cheers from the sunny south of France,
> 
> Niki
>

Hi Niki,

Why not just use iptables rules to filter the traffic and allow only 
public (and static) IPs from the libraries ?
Or create also VPNs between your VM and the remote networks

-- 
--
Fabian Arrotin
idea=`grep -i clue /dev/brain`
test -z "$idea" && echo "sorry, init 6 in progress" || sh ./answer.sh