SSH attacks drain 4GB in 10 hours. Possible?
I have been warned that my server broke its transfer limit. I thougt that my Tor node became popular so I chose to disable it this month (not the best choice for the community but I need to go down). Then I noticed that the server transferred around 4GBs this night. I have checked Apache logs with Awstats, no relevant traffic (and I don't host so popular sites there). I have checked mail logs, no one tried to send garbage. I have checked messages
logs and found tons of these
Apr 29 10:17:53 marcus sshd[9281]: Did not receive identification string from 85.170.189.156
Apr 29 10:18:07 marcus sshd[9283]: Did not receive identification string from 86.208.123.132
Apr 29 10:18:24 marcus sshd[9298]: Did not receive identification string from 85.170.189.156
Apr 29 10:18:39 marcus sshd[9303]: Did not receive identification string from 86.208.123.132
Apr 29 10:18:56 marcus sshd[9306]: Did not receive identification string from 85.170.189.156
Apr 29 10:19:11 marcus sshd[9309]: Did not receive identification string from 86.208.123.132
Apr 29 10:19:18 marcus sshd[9312]: Did not receive identification string from 101.98.178.92
Apr 29 10:19:27 marcus sshd[9314]: Did not receive identification string from 85.170.189.156
Apr 29 10:19:41 marcus sshd[9317]: Did not receive identification string from 86.208.123.132
Apr 29 10:20:01 marcus sshd[9321]: Did not receive identification string from 85.170.189.156
Apr 29 10:20:13 marcus sshd[9324]: Did not receive identification string from 86.208.123.132
Apr 29 10:20:32 marcus sshd[9327]: Did not receive identification string from 85.170.189.156
Apr 29 10:20:48 marcus sshd[9331]: Did not receive identification string from 86.208.123.132
Apr 29 10:21:07 marcus sshd[9336]: Did not receive identification string from 85.170.189.156
Apr 29 10:21:20 marcus sshd[9338]: Did not receive identification string from 86.208.123.132
Apr 29 10:21:35 marcus sshd[9341]: Did not receive identification string from 85.170.189.156
Apr 29 10:21:51 marcus sshd[9344]: Did not receive identification string from 86.208.123.132
Apr 29 10:22:06 marcus sshd[9349]: Did not receive identification string from 85.170.189.156
Apr 29 10:22:23 marcus sshd[9353]: Did not receive identification string from 86.208.123.132
Apr 29 10:22:39 marcus sshd[9359]: Did not receive identification string from 85.170.189.156
Apr 29 10:22:54 marcus sshd[9361]: Did not receive identification string from 86.208.123.132
Apr 29 10:23:10 marcus sshd[9367]: Did not receive identification string from 85.170.189.156
Apr 29 10:23:29 marcus sshd[9369]: Did not receive identification string from 86.208.123.132
Apr 29 10:23:45 marcus sshd[9375]: Did not receive identification string from 85.170.189.156
Apr 29 10:24:10 marcus sshd[9387]: Did not receive identification string from 86.208.123.132
Apr 29 10:24:16 marcus sshd[9388]: Did not receive identification string from 85.170.189.156
Every few seconds a bot is trying to hack my SSH, which is impossible because I require pubkey authentication. My question is: can this traffic, at this frequency, consume 4GBs (let's say 3.5) in 10 hours of continuous attack?
I have changed my SSH port and stopped these attacks, but I'm unsure about my network consumption. I don't have services out of control running -my firewall is kinda restrictive-, or share the server with someone abusively doing P2P or whatever. My concern is to go below 400GB/month.
Any tips?
Solution 1:
4 GB is possible, but very unlikely considering the attack rate. I suggest installing OSSEC, it detects break in attempts and blocks the IP automatically for a certain time out.
Solution 2:
If these are the cause of the bandwidth usage then the bandwidth is already consumed by the time you deal with them on your system. You can use a tool like iptraf to give you a breakdown of what's happening on each interface/port and then you can take appropriate action based on facts.
Solution 3:
No, these once-per second connection attempts themselves are not going to add up to 4GB in ten hours. Do you think you could download a 4GB file in 10 hours by getting getting a tiny packet once a second? There are 3600 seconds in an hour, so if you get a kilobyte a second for ten hours, that would be 36000 Kb, or 36 megabytes.
Your bandwidth is measured according to what goes down the pipe from your provider to your external router, not what reaches your server. You have to look at the crap that isn't reaching your server, that most external piece of equipment is rejecting.
As far as what does reach your server, you cannot rely on application logs. Even packets that are silently dropped by the local firewall are bandwidth. Interface stats (shown by ifconfig
) will tell you Tx/Rx bytes.