服务器流入流量基本未变,流出流量突然成倍增长是什么原因?

2014-05-22 09:49:21 +08:00
 bobopu
ubuntu系统,这两天流入流量基本未变,但流出流量增长了3-4倍,请分析一下是什么原因?初步排除病毒/肉鸡问题。
4786 次点击
所在节点    云计算
17 条回复
mahone3297
2014-05-22 09:58:10 +08:00
如何监控流入流出流量?请教。。。
hq5261984
2014-05-22 09:59:25 +08:00
是否有视频或者大型文件在服务器上。如果有可能是迅雷或者干的。
mhycy
2014-05-22 10:02:04 +08:00
查查日志?
bobopu
2014-05-22 10:05:19 +08:00
@mahone3297 最简单的,阿里云云盾里可以很清楚的看到,如果你不是阿里云的主机,可以装个安全狗也能看到。
bobopu
2014-05-22 10:06:18 +08:00
@hq5261984 没有视频或大型文件,就几个静态页面,连数据库都没。
bobopu
2014-05-22 10:06:29 +08:00
@mhycy 恩,正在翻日志。
ericls
2014-05-22 10:10:24 +08:00
iftop
ShunYea
2014-05-22 11:19:41 +08:00
被盗链了?
bobopu
2014-05-22 11:48:13 +08:00
@ShunYea 就几个静态页面,连图都没,不存在盗链。
阿里云给了个关闭UDP外发的脚本
check_os_release()
{
while true
do
os_release=$(grep "Red Hat Enterprise Linux Server release" /etc/issue 2>/dev/null)
os_release_2=$(grep "Red Hat Enterprise Linux Server release" /etc/redhat-release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null 2>&1
then
os_release=redhat5
echo "$os_release"
elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
then
os_release=redhat6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "Aliyun Linux release" /etc/issue 2>/dev/null)
os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null 2>&1
then
os_release=aliyun5
echo "$os_release"
elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
then
os_release=aliyun6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
os_release_2=$(grep "CentOS release" /etc/*release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null 2>&1
then
os_release=centos5
echo "$os_release"
elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
then
os_release=centos6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
os_release_2=$(grep -i "ubuntu" /etc/lsb-release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "Ubuntu 10" >/dev/null 2>&1
then
os_release=ubuntu10
echo "$os_release"
elif echo "$os_release"|grep "Ubuntu 12.04" >/dev/null 2>&1
then
os_release=ubuntu1204
echo "$os_release"
elif echo "$os_release"|grep "Ubuntu 12.10" >/dev/null 2>&1
then
os_release=ubuntu1210
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "Linux 6" >/dev/null 2>&1
then
os_release=debian6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "13.1" >/dev/null 2>&1
then
os_release=opensuse131
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
break
done
}

exit_script()
{
echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
rm -f $LOCKfile
exit 1
}

config_iptables()
{
iptables -I OUTPUT 1 -p tcp -m multiport --dport 21,22,23,25,53,80,135,139,443,445 -j DROP
iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 -j DROP
iptables -I OUTPUT 3 -p udp -j DROP
iptables -nvL
}

ubuntu_config_ufw()
{
ufw deny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
ufw deny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
ufw deny out proto udp to any
ufw status
}

####################Start###################
#check lock file ,one time only let the script run one time
LOCKfile=/tmp/.$(basename $0)
if [ -f "$LOCKfile" ]
then
echo -e "\033[1;40;31mThe script is already exist,please next time to run this script.\n\033[0m"
exit
else
echo -e "\033[40;32mStep 1.No lock file,begin to create lock file and continue.\n\033[40;37m"
touch $LOCKfile
fi

#check user
if [ $(id -u) != "0" ]
then
echo -e "\033[1;40;31mError: You must be root to run this script, please use root to execute this script.\n\033[0m"
rm -f $LOCKfile
exit 1
fi

echo -e "\033[40;32mStep 2.Begen to check the OS issue.\n\033[40;37m"
os_release=$(check_os_release)
if [ "X$os_release" == "X" ]
then
echo -e "\033[1;40;31mThe OS does not identify,So this script is not executede.\n\033[0m"
rm -f $LOCKfile
exit 0
else
echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"
fi

echo -e "\033[40;32mStep 3.Begen to config firewall.\n\033[40;37m"
case "$os_release" in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
service iptables start
config_iptables
;;
debian6)
config_iptables
;;
ubuntu10|ubuntu1204|ubuntu1210)
ufw enable <<EOF
y
EOF
ubuntu_config_ufw
;;
opensuse131)
config_iptables
;;
esac

echo -e "\033[40;32mConfig firewall success,this script now exit!\n\033[40;37m"
rm -f $LOCKfile
thinkxen
2014-05-22 12:50:40 +08:00
@mahone3297 iptraf等或者监控宝之类的网站,也可以问机房要MRTG
@bobopu 还是看网站日志~~
hydrazt
2014-05-22 13:09:08 +08:00
tcpdump抓包分析。
之前有遇到类似情况,当网络丢包严重时,系统会将无ack响应的数据库重发,间接导致流出数据量翻倍。
bobopu
2014-05-22 14:12:07 +08:00
@hydrazt 哥们,太感谢你了,果然是这台服务器在将数据包转发到另一台服务器(死机)时得不到响应,持续发包所致,重启后解决。
wzxjohn
2014-05-22 14:14:04 +08:00
珍爱生命,远离安全狗。
bobopu
2014-05-22 14:27:06 +08:00
@wzxjohn 这个东西也并非一无是处,设置起来比较简便。但坑爹的是我有台阿里云的win服务器,在装了安全狗打开ARP后,服务器就像癫痫发作一样,一阵能联网一阵又不行,把阿里云的工程师都给搞晕了,找了一圈都没发现问题所在,最后原来是ARP防御模块似乎与阿里云的网络环境不兼容所致。
lang1pal
2014-05-22 15:59:38 +08:00
@mahone3297 vnstat
wzxjohn
2014-05-22 16:41:57 +08:00
@bobopu Win的安全狗隐患更大,很多人因为安全狗导致了各种Bug,最后一查都是安全狗的原因。
bobopu
2014-05-22 16:55:26 +08:00
@wzxjohn 现在在win服务器上安装的是SEP12,效果挺好。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/113692

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX