0

I keep getting warnings from GCP that i have suspicious activity on my GCP instance and they're right. I keep seeing huge traffic going to China in my billing as follows.

Compute Engine Network Internet Egress from APAC to China

i'm really worried about this. How can i log these traffic and is there any way to stop this from happening. I need to have all IPs allowed to the instance. Can i block traffic to china?

m4heshd
  • 101
  • 2

2 Answers2

1

You can use tcpdump to see & log the traffic.

What protocol is this? If it's HTTP or SSH you can look at fail2ban for automatically blocking traffic. If you're looking for a more in depth layer of protection OSSEC may fit the bill better. Both allow you to customize and add "checks".

TheFiddlerWins
  • 2,999
  • 1
  • 15
  • 22
  • Hi it's HTTP. I have totally forgotten `tcpdump`. Thank you. What i want to do is DROP all requests that origins from china. Is there any way i can do it from the VPC network? I know i can create firewall rules. But i don't know which IPs to block and if it'll work. – m4heshd Oct 13 '17 at 04:45
1

To solve this problem on my linux boxes, I use iptables and create a rule to match ipset lists of countries that I want to allow. You could easily block countries using this method as well. I have found the following 2 sites to provide subnet lists https://www.countryipblocks.net/country_selection.php and http://www.ipdeny.com/ipblocks/

Jeff
  • 309
  • 3
  • 13