[olug] High traffic from firewall?

Justin Reiners justin at hotlinesinc.com
Thu Dec 22 14:14:03 CST 2016


this looks interesting as well, never used it though.

http://jekor.com/gressgraph/

On Thu, Dec 22, 2016 at 2:10 PM, Justin Reiners <justin at hotlinesinc.com>
wrote:

> https://www.howtoforge.com/tutorial/how-to-scan-linux-
> for-malware-and-rootkits/
>
>
> On Thu, Dec 22, 2016 at 1:55 PM, Ben Hollingsworth <obiwan at jedi.com>
> wrote:
>
>> Chkrootkit hasn't been maintained for many years.  It shows one false
>> positive.
>>
>>
>> On 12/22/2016 01:43 PM, Dave Thacker wrote:
>>
>>> chkrootkit?
>>>
>>> Is all the traffic originating on the firewalk or inside the firewalk?
>>>
>>> Dave
>>>
>>>
>>> On Thu, Dec 22, 2016 at 1:00 PM, Ben Hollingsworth <obiwan at jedi.com>
>>> wrote:
>>>
>>> OK, I'm concerned.  I have a headless linux (Ubuntu Server 14.04)
>>>> firewall
>>>> that controlls access to my home network via iptables.  It runs a DNS
>>>> server, DHCP server, mail server (only for outgoing mail), and HTTP
>>>> redirect server that points traffic to another internal server.  I try
>>>> to
>>>> keep the firewall locked down pretty tight, especially from the outside
>>>> world.
>>>>
>>>> Beginning about 9am yesterday, my outgoing bandwidth from the firewall
>>>> to
>>>> the outside world has been pegged pretty constantly at about 5 Mbps.
>>>> It's
>>>> normally only a few kbps.  There's no significant traffice on the
>>>> firewall's internal NIC, so all this traffic must be generated on the
>>>> firewall itself.  Here's the MRTG graph:
>>>> 
>>>>
>>>> I'm running tcpdump trying to diagnose it from work right now, but with
>>>> the kids & wife at home all day, it's hard to know which traffic is
>>>> them &
>>>> which isn't.  Virtually all outgoing traffic is to an HTTPS port.  Once
>>>> I
>>>> get home, I can block individual IP's easily enough, but I'm concerned
>>>> that
>>>> I've got a bigger problem.
>>>>
>>>> What's the best way to determine if I've got a root kit on a linux
>>>> server?  ps doesn't show anything suspicious, but no self respecting
>>>> root
>>>> kit would show up there, anyway.
>>>>
>>>> --
>>>> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com <mailto:obiwan at jedi.com>
>>>> www.Jedi.com <http://www.jedi.com>
>>>> The stuff of earth competes for the allegiance I owe only to the
>>>> Giver of all good things, so if I stand, let me stand on the
>>>> promise that You will pull me through. /-- Rich Mullins/
>>>>
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>
>>>>
>>>
>>>
>>
>> --
>> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com <mailto:obiwan at jedi.com>
>> www.Jedi.com <http://www.jedi.com>
>> The stuff of earth competes for the allegiance I owe only to the
>> Giver of all good things, so if I stand, let me stand on the
>> promise that You will pull me through. /-- Rich Mullins/
>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
>
>


More information about the OLUG mailing list