[olug] High traffic from firewall?

Ben Hollingsworth obiwan at jedi.com
Thu Dec 22 13:00:34 CST 2016


OK, I'm concerned.  I have a headless linux (Ubuntu Server 14.04) 
firewall that controlls access to my home network via iptables.  It runs 
a DNS server, DHCP server, mail server (only for outgoing mail), and 
HTTP redirect server that points traffic to another internal server.  I 
try to keep the firewall locked down pretty tight, especially from the 
outside world.

Beginning about 9am yesterday, my outgoing bandwidth from the firewall 
to the outside world has been pegged pretty constantly at about 5 Mbps.  
It's normally only a few kbps.  There's no significant traffice on the 
firewall's internal NIC, so all this traffic must be generated on the 
firewall itself.  Here's the MRTG graph:


I'm running tcpdump trying to diagnose it from work right now, but with 
the kids & wife at home all day, it's hard to know which traffic is them 
& which isn't.  Virtually all outgoing traffic is to an HTTPS port.  
Once I get home, I can block individual IP's easily enough, but I'm 
concerned that I've got a bigger problem.

What's the best way to determine if I've got a root kit on a linux 
server?  ps doesn't show anything suspicious, but no self respecting 
root kit would show up there, anyway.

-- 
*Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com <mailto:obiwan at jedi.com> 
www.Jedi.com <http://www.jedi.com>
The stuff of earth competes for the allegiance I owe only to the
Giver of all good things, so if I stand, let me stand on the
promise that You will pull me through. /-- Rich Mullins/



More information about the OLUG mailing list