[olug] High traffic from firewall?

Dan Linder dan at linder.org
Fri Dec 23 09:59:41 CST 2016


Can you throw a ethernet hub between the external firewall port and your
DSL/Cablemodem and sniff the traffic to get an idea what's in the traffic?
It won't be fun, but a few filters taking out the expected traffic should
help.

Dan

On Thu, Dec 22, 2016 at 1:00 PM, Ben Hollingsworth <obiwan at jedi.com> wrote:

> OK, I'm concerned.  I have a headless linux (Ubuntu Server 14.04) firewall
> that controlls access to my home network via iptables.  It runs a DNS
> server, DHCP server, mail server (only for outgoing mail), and HTTP
> redirect server that points traffic to another internal server.  I try to
> keep the firewall locked down pretty tight, especially from the outside
> world.
>
> Beginning about 9am yesterday, my outgoing bandwidth from the firewall to
> the outside world has been pegged pretty constantly at about 5 Mbps.  It's
> normally only a few kbps.  There's no significant traffice on the
> firewall's internal NIC, so all this traffic must be generated on the
> firewall itself.  Here's the MRTG graph:
> 
>
> I'm running tcpdump trying to diagnose it from work right now, but with
> the kids & wife at home all day, it's hard to know which traffic is them &
> which isn't.  Virtually all outgoing traffic is to an HTTPS port.  Once I
> get home, I can block individual IP's easily enough, but I'm concerned that
> I've got a bigger problem.
>
> What's the best way to determine if I've got a root kit on a linux
> server?  ps doesn't show anything suspicious, but no self respecting root
> kit would show up there, anyway.
>
> --
> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com <mailto:obiwan at jedi.com>
> www.Jedi.com <http://www.jedi.com>
> The stuff of earth competes for the allegiance I owe only to the
> Giver of all good things, so if I stand, let me stand on the
> promise that You will pull me through. /-- Rich Mullins/
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



-- 
***************** ************* *********** ******* ***** *** **
"If you wish to make an apple pie from scratch,
  you must first invent the universe."
  -- Carl Sagan

"Quis custodiet ipsos custodes?"
    (Who can watch the watchmen?)
    -- from the Satires of Juvenal

"I do not fear computers, I fear the lack of them."
    -- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************


More information about the OLUG mailing list