我被警告说我的服务器超出了传输限制。我认为我的 Tor 节点变得流行起来,所以我选择本月禁用它(这不是社区的最佳选择,但我需要关闭它)。然后我注意到服务器今晚传输了大约 4GB。我用 Awstats 检查了 Apache 日志,没有相关流量(而且我在那里没有托管如此受欢迎的网站)。我检查了邮件日志,没有人试图发送垃圾邮件。我检查了messages
日志,发现了大量这样的
Apr 29 10:17:53 marcus sshd[9281]: Did not receive identification string from 85.170.189.156
Apr 29 10:18:07 marcus sshd[9283]: Did not receive identification string from 86.208.123.132
Apr 29 10:18:24 marcus sshd[9298]: Did not receive identification string from 85.170.189.156
Apr 29 10:18:39 marcus sshd[9303]: Did not receive identification string from 86.208.123.132
Apr 29 10:18:56 marcus sshd[9306]: Did not receive identification string from 85.170.189.156
Apr 29 10:19:11 marcus sshd[9309]: Did not receive identification string from 86.208.123.132
Apr 29 10:19:18 marcus sshd[9312]: Did not receive identification string from 101.98.178.92
Apr 29 10:19:27 marcus sshd[9314]: Did not receive identification string from 85.170.189.156
Apr 29 10:19:41 marcus sshd[9317]: Did not receive identification string from 86.208.123.132
Apr 29 10:20:01 marcus sshd[9321]: Did not receive identification string from 85.170.189.156
Apr 29 10:20:13 marcus sshd[9324]: Did not receive identification string from 86.208.123.132
Apr 29 10:20:32 marcus sshd[9327]: Did not receive identification string from 85.170.189.156
Apr 29 10:20:48 marcus sshd[9331]: Did not receive identification string from 86.208.123.132
Apr 29 10:21:07 marcus sshd[9336]: Did not receive identification string from 85.170.189.156
Apr 29 10:21:20 marcus sshd[9338]: Did not receive identification string from 86.208.123.132
Apr 29 10:21:35 marcus sshd[9341]: Did not receive identification string from 85.170.189.156
Apr 29 10:21:51 marcus sshd[9344]: Did not receive identification string from 86.208.123.132
Apr 29 10:22:06 marcus sshd[9349]: Did not receive identification string from 85.170.189.156
Apr 29 10:22:23 marcus sshd[9353]: Did not receive identification string from 86.208.123.132
Apr 29 10:22:39 marcus sshd[9359]: Did not receive identification string from 85.170.189.156
Apr 29 10:22:54 marcus sshd[9361]: Did not receive identification string from 86.208.123.132
Apr 29 10:23:10 marcus sshd[9367]: Did not receive identification string from 85.170.189.156
Apr 29 10:23:29 marcus sshd[9369]: Did not receive identification string from 86.208.123.132
Apr 29 10:23:45 marcus sshd[9375]: Did not receive identification string from 85.170.189.156
Apr 29 10:24:10 marcus sshd[9387]: Did not receive identification string from 86.208.123.132
Apr 29 10:24:16 marcus sshd[9388]: Did not receive identification string from 85.170.189.156
每隔几秒钟,就会有一个机器人试图破解我的 SSH,但这是不可能的,因为我需要公钥身份验证。我的问题是:这种流量以这种频率在 10 小时的持续攻击中会消耗 4GB(假设是 3.5)吗?
我已经更改了 SSH 端口并阻止了这些攻击,但我不确定我的网络消耗情况。我没有运行不受控制的服务 - 我的防火墙有点限制 - 或与滥用 P2P 或类似操作的人共享服务器。我担心的是每月流量低于 400GB。
有小费吗?
答案1
4 GB 是可能的,但考虑到攻击率,可能性很小。我建议安装 OSSEC,它可以检测入侵尝试并在一定时间内自动阻止 IP。
答案2
如果这些是造成带宽占用的原因,那么当您在系统上处理它们时,带宽已经被消耗了。您可以使用 iptraf 之类的工具来详细了解每个接口/端口上发生的情况,然后根据事实采取适当的措施。
答案3
不,这些每秒一次的连接尝试本身在十小时内不会累积到 4GB。您认为通过每秒获取一个微小数据包,您可以在 10 小时内下载 4GB 的文件吗?一小时有 3600 秒,因此如果您在十小时内每秒获取 1 千字节,那么这将是 36000 KB,即 36 兆字节。
您的带宽是根据从提供商到外部路由器的管道传输的数据来衡量的,而不是根据到达服务器的数据来衡量的。您必须查看未到达服务器的垃圾,大多数外部设备都在拒绝这些垃圾。
至于到达服务器的数据,您不能依赖应用程序日志。即使是本地防火墙悄悄丢弃的数据包也是带宽。接口统计信息(显示为ifconfig
)将告诉您 Tx/Rx 字节数。