[CentOS] Who's eating our bandwidth?

Thu Nov 5 21:48:34 UTC 2009
Lucian @ lastdot.org <lucian at lastdot.org>

On Wed, Nov 4, 2009 at 9:16 AM, Niki Kovacs <contact at kikinovak.net> wrote:
> Hi,
>
> I've recently setup a new server for our public libraries. For the last
> two years, this has been my first "big" job, since it involves
> networking eleven small to medium size public libraries.
>
> There was a hiccup some time ago when the administration hiring me
> wanted to do it on their own, but it took them less than two weeks to
> get the server hacked and lose everything. So they decided to hire me
> back :o)
>
> I've rented a little dedicated server at the french provider Ikoula.
> Really a small thing, a KVM amounting to 1/2 a processor core, 512 MB
> RAM and 25 GB of disk space. Usually there should be no more than like
> ten people working simultaneously on the library management software
> (running atop MySQL).
>
> For the last few days, users reported that the install was "terribly
> slow". I checked, and indeed, the application took quite some time to
> respond.
>
> First thing, I wonder if the configuration I chose is too modest for the
> setup.
>
> Then, I took a peek in /var/log/httpd and the *-access.log files show
> quite some activity. Some haphazard whois on various IP addresses show
> me that these are no library users from around here. Like: Bogota?!?
> Peking?!? And quite some search engines. Since I don't need search
> engines for our application, I'm going to have to find a way to banish
> these.
>
> The log files are not very handy to decipher, so I googled a bit, and I
> think today I'm going to check out AWStats, which seems to be the right
> thing to use in that case.
>
> I'm also wondering about activity on other ports, but here also I'm
> taking stabs in the dark. Probably SSH, but I don't know where eventual
> failed attempts get logged.
>
> I also googled a bit, and I think in this domain, fail2ban will be my
> next experiment.
>
> I have this strange feeling that the next step in the "wise" direction
> consists in describing my ignorance :o)
>
> Any suggestions?
>
> Cheers from the sunny south of France,
>
> Niki
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Check out mod_geoip and only allow France to connetc to your server.