The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Constant Incoming Traffic

Discussion in 'General Discussion' started by Solokron, Jul 8, 2010.

  1. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I have a server that has a very high level of incoming traffic consistently throughout the month. Surpassing outgoing traffic at times. I suspect it to be someones personal PC backup software or something along those lines. Is there any way to monitor "incoming" bandwidth of client accounts with cPanel/WHM?
     
  2. acenetryan

    acenetryan Well-Known Member
    PartnerNOC

    Joined:
    Aug 21, 2005
    Messages:
    197
    Likes Received:
    1
    Trophy Points:
    18
    You could monitor the FTP service at the time of the peak usage:

    service pure-ftpd/proftpd status

    Or you could go back through /var/log/messages (or wherever you log FTP accesses to) and see who's been using FTP the most frequently.

    You could also List Accounts in WHM and see who has the highest bandwidth usage. Or even highest Disk Space usage may point you in the right direction, high incoming bandwidth might correlate well with a high disk space usage if they're backing up local files.
     
  3. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Yes, I am aware of all those.

    Does the bandwidth number incorporate incoming FTP though? I am not sure it does.

     
  4. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    This is what I am seeing which has been constant every day for the past four months now.

    [​IMG]
     
  5. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    A small attack has also comes to mind but it has been going on for four months.
     
  6. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Update. Consistently higher than outgoing traffic.

    [​IMG]
     
  7. jtopjian

    jtopjian Member

    Joined:
    Mar 8, 2009
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Have you tried installing iptraf and monitoring network activity through that?
     
  8. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I have actually but the install was a disaster. I am going to try out a NfSen which uses nfdump and rrdtool.

    I have the latter two installed now and I am working on getting NfSen going.

     
  9. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I got iptraf working with an rpm package with no problems.

    Running it with a LAN station monitor, it shows two additional eth0 interfaces with MACs that do not match the NIC or sub-interfaces of it. One has a lot of incoming traffic on it which would match the above graphs. Compromised or are these false positives?

    *Upon closer inspection it appears it may be how CSF filters out traffic as the inrate of that interface closely matches the outrate of the main IP.

    Back to the investigation.
     
    #9 Solokron, Jul 9, 2010
    Last edited: Jul 9, 2010
  10. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I found some odd activity with a group of IPs which I have had blocked at the firewall along with enabled syn attack defense. The mass incoming traffic has subsided for the time period.

    [​IMG]
     
    #10 Solokron, Jul 9, 2010
    Last edited: Jul 9, 2010
  11. Pyloth

    Pyloth Member

    Joined:
    Jul 9, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Looks like your problem was right there. How'd you get a hold of their IP? As in how did you know it was them?
     
  12. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Combination of iptraf and nfdump. iptraf should be sufficient though.

     
Loading...

Share This Page