Yesterday, I found my Asterisk server was getting hammered by someone trying to hack their way in. So I closed of ALL ports except ssh for my IP, and the IP of the server I peer too. Instant load reduction, all good.
But this afternoon, I noticed this very weirdly shaped CPU load graph - I don’t think it’s incoming packets getting blocked, otherwise the network traffic would be increased too, correct?
I checked all the logs - no logins, nothing in the error log… I’m baffled by the shape of it too! Screenshot: https://www.dropbox.com/s/5g8kl6nm95x1tqv/ScreenClip [6].png?dl=0
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
@jonathan
It very well could be from repeated attempts to continue an attack where the previous left off. Even if a rule or set of rules is/are in place, that doesn’t mean that CPU, or resources in general, will not be used. If it is indeed an attack, in my experience (spanning ~15 years), only a handful only try once and call it a day. If someone is truly trying to get in, they’ll keep trying until a). they get bored or; b). they no longer see it as a fruitful event.
As for a potential increase in network usage, it really depends. In most cases, you would see a spike, though if we’re potentially looking at a small brute force attempt being repeated, perhaps not.
–
Beyond that, I would check
top
and check the value ofwa
, which would reference I/O. If that value is spiking, you may want to install something such asiotop
(similar totop
but specifically forio
) and run it (liketop
, you’d simply runiotop
from the CLI) to get a slightly more in-depth look at what is causing the IO to rise.