My ubuntu server slows dow the internet connection when running

Question

I have Ubuntu 16.04 server running LAMP with phpmyadmin. I have git installed and a crontab to autoback it up to the cloud. My problem is when the server is running I am unable to use the internet on any other device. I have a Dell Optiplex GX620. Any help would be appreciated. I have ran iftop and found the following ip addresses to have a drastic increase in tx traffic.

116.211.144.72
183.60.203.94
61.164.158.91
119.167.139.11
122.228.29.172
219.128.79.112
122.228.29.40
219.128.79.112
103.5.58.234
183.131.212.73
183.60.133.135
183.131.49.38
59.56.66.32
211.99.224.235

I seem to get a new IP address every minute. The ones I have checked are from china but I am in the U.S. The only traffic I can think of is Codeanywhere, github/git, and No-ip. Is there a way I can block traffic from china. I have 100 mbps down and up since my connection is fiber optics. Also do you think it is any of the services I listed?

EDIT:

root@buntubox-1:~# netstat -nputwa
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      972/mysqld      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      896/sshd        
tcp        0      1 192.168.1.99:52398      198.204.254.253:8623    SYN_SENT    1207/sshd       
tcp        0    296 192.168.1.99:22         192.168.1.50:55597      ESTABLISHED 14947/0         
tcp        0      0 192.168.1.99:47616      164.132.4.3:6000        ESTABLISHED 928/bash        
tcp6       0      0 :::80                   :::*                    LISTEN      1198/apache2    
tcp6       0      0 :::22                   :::*                    LISTEN      896/sshd

...

root@buntubox-1:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

UPDATE:

I have reinstalled the os. Is the following okay?

root@buntubox-001:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain f2b-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http /* 'dapp_Apache' */

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination

Possible duplicate of [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) — Jenny D, Jun 20 '17 at 13:53

Joe Brailsford · Accepted Answer · 2017-06-20T18:27:52.277

EDIT

Now you've reinstalled and gotten yourself a firewall, I suggest you consider the following:

Do you ever access the server from outside of the network it's hosted on? If not: don't forward any ports from your router to the server - it doesn't need to accept inbound connections from the internet.
Consider installing ClamAV and configure it to run nightly.
Install RKHunter and configure it to run nightly.
Consider installing ChRootKit and have it run nightly.
Setup fail2ban to monitor SSH attempts, it can also be used to mitigate MySQL/PHPMyAdmin and Apache brute force attack - you can disregard the base firewall section of this article since you've got that sorted now.
Consider installing LogWatch and review logs daily.
Install OSSEC-HIDS - this and fail2ban & RKHunter are the main ones I would recommend. Ossec will detect intrusions, it will detect file changes, it is designed to tell you when and how you got hacked.
Install and run Lynsis Audit this will suggest ways to harden your security, if you're really paranoid, work through them and tick as many off as you can.
Disallow root login over SSH, and use key authentication.

Hope that helps, there's more you can do, there always is, and you can never be perfectly secure, it's all about making it harder, and then mitigating the damage. Backups, copy vital logs to other servers, don't expose ports that you don't need to, change the default unmask... the list goes on, but if you're just playing around, the above should be more than sufficient. If you want more, google is your friend, this is a good starter. As is this. And this.

Original answer:

Ideally you want to know what process the connection is hooked to, netstat can tell you that.

netstat -nputwa

This will output every connection, TCP/UDP, in/out, and show you the IP responsible and the process it's attached to. If you determine that an IP is connecting to a process it shouldn't be/doesn't need to be, simply block it at the firewall level.

If you want help deciphering it, post the output of the command in your question as an edit.

EDIT: You do not have a firewall.

The below will get you started, create a new file /etc/iptables.firewall.rules and paste this into it:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Save the file and run iptables-restore < /etc/iptables.firewall.rules

You will also need to make sure the rules come into effect at boot, to do so, create a file at /etc/network/if-pre-up.d/firewall and add to it:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

And then finally run:

 chmod +x /etc/network/if-pre-up.d/firewall

This will get you started, you need to do more research on iptables, particular the section 'Allow all outbound traffic - you can modify this to only allow certain traffic' - I would suggest you lock this down to only allow http and ssh out. This article has a script at the bottom with commands in that explain how to do that.

Additionally, please look at installing the Fail2Ban and OSSEC - these are attack mitigation and intrusion detection systems. Further, things like Logwatch can help for monitoring, daily rootkit scans, and not opening your server up to the internet if it doesn't need to be.

If you think you've been hacked, it's easiest to backup your files and reinstall your OS - and this time set up your security correctly form day 1. If you're feeling lucky, implement the above and block the IP's you think are risky at the firewall level.

iptables -A INPUT -s <ip to block> -j DROP

Note, each time you add a new one, backup your filewall so it's persistent.

iptables-save > /etc/iptables.firewall.rules

Another good idea for you would be to look at the processes running on your system using htop/top - do any look suspicious? Try running RootkitHunter and CHRootKit - do they turn up any results? If so - wipe and start again.

Another good idea, generally, when looking to secure a server is to run Lynsis Audit, it will advise you on steps to take.

As an aside, you say you get a new IP every minute - is this still the case? If so, keep rerunning the netstat command, what process is in use? Take a look at your logs, can you see the requests coming in? If so, what are they doing?

tail -f /var/log/auth.log

tail -f /var/log/syslog

Finally, see the comment under your question about what to do if you've been hacked, whether you have/have not, it's a very good read.

Is this server private, on a corporate lan, out in the open... ? Further, who accesses it, just you? Specific users? The Internet? — Joe Brailsford, Jun 20 '17 at 13:47
The server is private, i is at a home network, only i acess it using the third party services. — Riz-waan, Jun 20 '17 at 13:50
Okay, so what ports do you have open? Presumably only 80 and 443? — Joe Brailsford, Jun 20 '17 at 13:51
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/60782/discussion-between-riz-waan-and-joe-brailsford). — Riz-waan, Jun 20 '17 at 17:22
Could you please check the new bottom part of my question and tell me if that is okay? — Riz-waan, Jun 20 '17 at 17:23

score 0 · Answer 2 · answered Jun 20 '17 at 14:01

0

"" Is there a way I can block traffic from china?""

Yes, for example, you can use iptables to blacklist these ip ranges : http://www.nirsoft.net/countryip/cn.html (i just googled china ip block list)

answered Jun 20 '17 at 14:01

bgtvfr

1,262
10
20

That list does not include some of the ip addresses i have included. – Riz-waan Jun 20 '17 at 14:13
Then they are probably not only in China. :) – Esa Jokinen Jun 20 '17 at 14:19
Continent: Asia Country: China State/Region: Fujian City: Fuzhou Latitude: 26.0614 (26° 3′ 41.04″ N) Longitude: 119.3061 (119° 18′ 21.96″ E) The location of an ip addresnot on the list, sure does seem like china to me – Riz-waan Jun 20 '17 at 14:22

My ubuntu server slows dow the internet connection when running

2 Answers2