# Where's my bandwidth going?

## alienjon

I live on a college campus and as such, my bandwidth is limited to 7gb of non-lan transferrance per week. This is almost never a problem of mine, as I rarely download anything larger than updates or small programs. This last weekend, however, a friend of mine came up and we downloaded some game demos (I would bet that they didn't get close to the 8gb that was claimed by my University that I used over the weekend, but whatever, I'm just ignorning that for right now)

My question arose when I found out that I had gone over the weeks limit (by almost 2 gb, actually!) I am now limited to a VERY slow network speed and I was curious to see where my bandwidth actually went. I currently have a superkaramba theme that not only monitors my current upload/download rate, but also the total amount downloaded/uploaded since I last started my computer. Without my running anything overtly I am using anywhere between .5 and 1.0 kb/s download and 0 - 0.3 kb/s upload. This certainly isn't too much, but for the couple of hours that it has been up and running, this has totaled almost 170mb total transferrance. My question is this: How can I find out what is using my bandwidth? From the numbers I've seen so far, I doubt that whatever is currently running and download/uploading stuff is responsible for the ~9gb that I downloaded last week, but I would at least like to keep track of whats going on.

I looked into bandwidth monitering but it looks to be a little complicated for me to put the time into right now. I did, however, find tcpdump and am very interested in the output it gave. I wonder, maybe, if there is a way to check and see if I can match the output easily with ip addresses and see what is coming from oncampus and offcampus?

----------

## erik258

```
netstat
```

lists ip connections

----------

## alienjon

Thanks, that command is exactly what I was looking for! When I woke up this morning I checked the bandwidth again and it's up to 700mb! (from the ~170 it was at last night) Something is definitely not right here and the netstat program is showing me several IPs currently connected to my computer (including a few that suspiciously end in (.aol))

I guess I have two next questions:

Firstly, is there an immediate way to kill those connections (maybe similar to the kill command but for closing IP connections to another computer?) I'm also making an assumption here that if someone else IS connected to my computer, then they very well might have gotten past my passwords (for the record, I've never passed my password around) so should changing them be in order, or is there just too good of a chance that i have a program or something that is running that is more easily allowing them in?

Secondly, what is the appropriate next step? I'm guessing that the overwhelming answer to this would be 'Put a firewall up immediately, you dummy.' To which you would be correct. My problem there is finding one that i could easily setup. The gentoo dynamic ip howto seems very old (as it keeps making references to a 2.4 kernel (as does the IBM site it comes from). The one on the gentoo wiki seems (at least to me) to be a little complicated and also slightly not what I am looking for (I'm to secure a desktop computer with one connection, not a server with several). 

Keep in mind that I've never setup a firewall in linux before so I'm just going with what I keep hearing (using iptables). I have iptables installed and running, but they aren't configured (which is where I start to get confused) If I had more time I would read up on shorewall (as I hear that is supposed to be solid as a rock) but, alas, I am bogged down with school work and likely will be for at least another month and a half.

----------

## Aurisor

You should emerge nload, it's a handy tool for monitoring bandwith usage.

Before you install a firewall, you should secure your system.  Firewalls are great but they are no substitute for running a tight ship.

Anyways, the following is basically a shopping list for securing your system.  If you don't know how do to any of these things, search the forums, google, and then ask, in that order  :Smile: 

1) Change all of your system passwords and make sure they're long and nobody else can guess them

2) Disable all non-critical services

3) Install security updates

4) Make sure all accounts on your system that aren't used by human beings have their shell set to /bin/false or /usr/sbin/nologin

[quote='/etc/passwd']

qmails:x:206:201::/var/qmail:/bin/false

[/quote]

5) Emerge nmap and nmapfe and scan your own machine for open ports

6) Disable all anonymous accounts, especially ftp and mail

7) Check to make sure you're not running an open relay

 :Cool:  Go to a console and look through your list of processes (ps aux) and disable anything that shouldn't be running in there.

9) Tighten permissions on your home directories (700 works best)

10) Carefully inspect the logs of any servers you've decided to keep running (such as apache)

Once this stuff is done, then get a firewall up and running to make it harder to scan your system and to block external access to ports you REALLY REALLY can't disable.

Honestly, a lot of people bill firewalls as the first stop for security, when IMO they really should be the last thing you look at.  With the exception of DOS attacks, it's actually possible to run a very secure system without any firewall at all if you're willing to limit your abilities as a server.

----------

## alienjon

Thanks for the info, I'll get to that right away  :Smile: 

For the /bin/false || /usr/sbin/nologin thing, what do you mean by 'only used by humans'? I have some things, like daemon, which is set to that and it makes sense, but what about something like:

```

shutdown:**************:/sbin/shutdown

```

What is a better way to know if those should be set to /bin/false or not or because this isn't tied to a shell I don't have to worry about it?

----------

## Aurisor

The shutdown account allows you to shutdown your computer remotely, so you just go:

ssh shutdown@foo.bar.com

And then log in, and poof, your computer shuts down.

Rather than messing with all of the system accounts, a better way is to look through /etc/passwd and look at each account that has its shell set to a real shell, e.g. /bin/bash or /bin/csh.  Eliminate any of those that aren't strictly necessary.

----------

## nobspangle

For an easy to setup firewall (once you get there) shorewall is very good and has good documentation and examples for common setups.

----------

## alienjon

I'm making my way down the list (staying offline when I can for safety). I do have a couple of questions, though (my apologies if these may seem rather basic, but networking is not my forte)

5) I used the nmap program you suggested and found some ports open on my computer, but all running services that I want to have running, so I don't see any leakage there. Is there anything in specific that I should keep my eyes open for in regards to port problems? (I have CUPS, mysql, hpiod and hpssd all running when I do a scan through all ports) (nmap -sS -sV -O -p- -PI -PP -PT 127.0.0.1)

7) How can I check to see if I'm running an 'open relay'? I actually have apache installed, for some reason, but I never have it running. I looked at http://dnsgoodies.com/ and it looks like it times out on the open relay test, so I don't think thats one of my problems.

----------

## erik258

did you get the bandwith usage to 0 yet?  i mean when you're not using it.  

if you need to cut that traffic I  can help if you want, but you'll have to post the output from netstat.

l do not believe apache relays anything, unless maybe html-level redirects and meta tags.  And especeally not when it's running ; )

firewall setup is definitely a consideration at the point of not being able to control your bandwith.... but maybe you don't want it , and that's fine.  after all, 

 *Quote:*   

> Firewalls are great but they are no substitute for running a tight ship.

 

and right they were.  

anyway, the output of netstat will tell you which ports you are connected on and there is also an option to show which program is running on them. ... lets see...  ah yes, and from the netstat man page, 

 *Quote:*   

>    -p, --program
> 
>        Show the PID and name of the program to which each socket belongs.

 

so you can see what's talking to these suspicious computers.  

then if you don't recognize the program (or worse yeyt you recognize it as something you know shouldn't be talking to things online, i believe that would be called a 'trojan' or maybe there's a better name for it ) you may want to kill that program, and there's your way to end an ip conversation.

but these aol guys wanted to be friends ; )

----------

## TempTux

 *alienjon wrote:*   

> 
> 
> Secondly, what is the appropriate next step? I'm guessing that the overwhelming answer to this would be 'Put a firewall up immediately, you dummy.' To which you would be correct. My problem there is finding one that i could

 

I generally disapprove of desktop firewalls.

Perhaps you have a look at the package 'chkrootkit', it probably can help here.

M.

----------

## zerojay

What you are seeing is probably just LAN traffic and wouldn't be counted against your limit. Superkaramba can't tell the difference between LAN and internet traffic.

----------

## alienjon

Thanks all for the replies. I haven't answered yet because I was talking with some friends of mine who know more about networking than I and getting their opinion. Unfortunately, I'm only a bit farther than I was from before.

Firstly, I have made the time and gone through all of Aurisor's suggestions (thanks again, those were very helpful in letting me better understand what comes in and out of my computer, as did netstat (thanks erik258)) Anyway, I went through all of the steps and, while I did find one or two things to tighten up a bit, there was nothing serious that came up.

As for the firewall, well my bad experience with firewalls continued today, actually, as I gave shorewall a shot (from reading their website and some posts on these forums) Needless to say, the firewall actually worked, but too well as I couldn't connect to the internet at all. (Interestingly, the superkaramba theme still mentioned the same activity, but I'll talk about that below) I ended up turning it off, since it wasn't helping, and went on to check other options. (I wouldn't be opposed to a firewall, but I wonder that, since I'm not running a server, if it is actually necessary, especially if I start keeping a close eye on the connections)

But for the bottom line:

 *erik258 wrote:*   

> 
> 
> did you get the bandwith usage to 0 yet?
> 
> 

 

Short answer... No. I did e-mail the network security on my campus, however, and they said that the big IP that used up my bandwidth from this last weekend was this site. Personally, I have never seen this site before, but it looks like they do work for others, whose stuff I may have been looking at.

They brought up an interesting point, actually:

 *From the E-mail wrote:*   

> 
> 
> It appears that they specialize in streaming media delivery
> 
> (audio/video/other) so you may want to recall what you were doing on
> ...

 

It is an interesting idea, but I have not seen any processes that make me think that there is still something running. On top of that, I have restarted my computer several times, so I don't think there's anything streaming.

 *TempTux wrote:*   

> 
> 
> Perhaps you have a look at the package 'chkrootkit'
> 
> 

 

Looking into it now, thanks.

 *DarkStalker wrote:*   

> 
> 
> What you are seeing is probably just LAN traffic and wouldn't be counted against your limit. Superkaramba can't tell the difference between LAN and internet traffic.
> 
> 

 

Well, since superkaramba uses python scripts (mostly), that may not be entirely true, right (I may be completely wrong in that, again - I don't know too much network stuff). On the other hand, that also does make sense as, I had already mentioned, I was still getting readings when the firewall was on full force. I'm actually getting to the point where I'm wondering if that may be the only problem now. (I'll need to see my bandwidth audit at the end of next week for that, though). For now, though, I'll post the results of netstat -p at this address (as I'm apparently a prolific enough writer, I won't bother filling this post up more than I have to) As I'm not sure exactly what is and isn't incriminating regarding network info, if there is anything there (or anywhere in my posts, for that matter) that shouldn't be there, please let me know and I'll fix it.

Thanks for all your help!

** Update **

I just finished installing and running chkrootkit and here's the results (just the end, everything above was either not found or not infected):

```

Checking `chkutmp'...  The tty of the following user process(es) were not found

 in /var/run/utmp !

! RUID          PID TTY    CMD

! root         8201 tty7   /usr/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-UpXnjC

! tubby        9893 pts/1  /bin/bash

! root        24748 pts/1  su

! root        24768 pts/1  bash

! root        24846 pts/1  /bin/sh /usr/sbin/chkrootkit

! root        26050 pts/1  /usr/sbin/chkutmp

! root        26051 pts/1  ps ax -o tty,pid,ruser,args

chkutmp: nothing deleted

```

----------

## Jeremy_Z

Unless you have public services on your box you could quickly set a dead simple but effective set of firewall rules :

```

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -P INPUT DROP

```

(You can also set the policy to REJECT instead of DROP)

Now even when doing nothing you can traffic incoming, for example if you use a peer to peer software you may still receive traffic after you close the application as you have been registered as a node and others still try to connect to you. But that is unlikely on a LAN.

Sometimes you can also get "misdirected" UDP streaming ... i had the case once where someone was uploading 4K/s of udp streaming from i don't know where ...

You can also try running other network analyzer : ntop, wireshark, ...

----------

## alienjon

Jeremy_Z:

Regarding the firewall stuff, what do those commands actually do, like, what will they prevent or allow and for whom?

 *Quote:*   

> 
> 
> if you use a peer to peer software
> 
> 

 

I actually do, but I haven't in several weeks, now, and (as I had mentioned in my last post) I have restarted my computer a few times during this entire episode, wouldn't that have reset any broken connections? (Lets say it is a p2p app, how would I stop those users from connecting?

 *Quote:*   

> 
> 
> Sometimes you can also get "misdirected" UDP streaming
> 
> 

 

Ya, but several gigs of it? (I hope thats not the case, cause I think the only solution for that would be to find a new ethernet card so that the streaming isn't connected to my computer anymore)

 *Quote:*   

> 
> 
> You can also try running other network analyzer
> 
> 

 

I had actually installed ntop a little while back, but I had an error that it wasn't up to date. Upgrading to latest, keyworded version in portage.

Thanks for the input  :Smile: 

----------

## alienjon

Jeremy_Z:

Regarding the firewall stuff, what do those commands actually do, like, what will they prevent or allow and for whom?

 *Quote:*   

> 
> 
> if you use a peer to peer software
> 
> 

 

I actually do, but I haven't in several weeks, now, and (as I had mentioned in my last post) I have restarted my computer a few times during this entire episode, wouldn't that have reset any broken connections? (Lets say it is a p2p app, how would I stop those users from connecting?

 *Quote:*   

> 
> 
> Sometimes you can also get "misdirected" UDP streaming
> 
> 

 

Ya, but several gigs of it? (I hope thats not the case, cause I think the only solution for that would be to find a new ethernet card so that the streaming isn't connected to my computer anymore)

 *Quote:*   

> 
> 
> You can also try running other network analyzer
> 
> 

 

I had actually installed ntop a little while back, but I had an error that it wasn't up to date. Upgrading to latest, keyworded version in portage.

Thanks for the input  :Smile: 

----------

## erik258

```
Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 d169h96.resnet.uc:59735 oam-d23b.blue.aol.c:aol ESTABLISHED 10316/gaim

tcp        0      0 d169h96.resnet.uc:53296 64.12.25.77:aol         ESTABLISHED 10316/gaim

tcp        0      0 d169h96.resnet.uc:39933 205.188.5.92:aol        ESTABLISHED 10316/gaim

tcp        0      0 localhost:35602         localhost:46632         ESTABLISHED 8292/hpiod

tcp        0      0 localhost:46632         localhost:35602         ESTABLISHED 8303/python

tcp        0      0 d169h96.resnet.uc:33372 oam-d07b.blue.aol.c:aol ESTABLISHED 10316/gaim

tcp        0      0 d169h96.resnet.uc:60837 sdc.campusfood.com:http TIME_WAIT   -

tcp        0      0 d169h96.resnet.uc:60831 sdc.campusfood.com:http TIME_WAIT   -

tcp        0      0 d169h96.resnet.uc:60830 sdc.campusfood.com:http TIME_WAIT   -

tcp        0      0 d169h96.resnet.uc:48038 64.12.25.173:aol        ESTABLISHED 10316/gaim
```

hope you don't mind me posting this here ; ) i didn't see anything that looked dangerous to post.  (in fact , your ip address isn't even fully listed here)  i only posted the internet connections because the unix sockets are by design all local to your computer.

the only thing i see that's connecting to other computers outside of your network is gaim.  I wouldn't think that would come down to 7gb a day unless maybe someone sent you lots of stuff, and i don't even think that works yet in gaim (didn't the last time i tried.)  

7gb a week = 1 gb a day = 1024*1024*1024/24/60/60 bytes a second

                    = 12427 / 1024 = 12.1362962962 ( approx ; ) kilobytes transferred per sec.

perhaps that isn't so crazy.  Your 7gb bandwith restriction sucks i think ; )  

but anyway, maybe gaim itself is slowly leaking out a few k per sec all week,  that 12.2k per second gets reached as an average through simple web browsing and such ... 

if i were you, i would not bother with the firewall until you know what it is you're supposed to be blocking.  if you do want to implement a firewall go for a vanilla iptables setup; don't use shorewall unless you find you like it.  iptables takes up literally 0 % of time on my server; it's getting blasted with packets all the time and it never has to do any cpu time on them; iptables rocks and many good howtos can be found online, althought the rules posted above look great.  they close off all your ports so that nobody on the network, let alone the internet, can get at them and that will be a pretty good way to shut off the traffic you don't want.  Gaim and web stuff, etc will still work because of the "Related, Established" line above.  And those printing ports you have open will be closed.  

in the mean time, keep an eye on the netstat -p output and if you see a program there that you cant describe, research it.  

I am beginning to think maybe your friend didn't realize how easily they could suck up a few hunded megs or whatever watching online videos or using an xbox or something like that (you don't have an xbox do you?  the ip your tech guys gave out had a webpage that discussed xbox connectivity) and maybe that's the problem.  but keep up on that netstat -p output so you know what your computer's talking to ...

----------

## alienjon

Well, I do have an xbox, but it isn't connected to the internet. Normally, that kind of usage isn't a problem for me (As I understand web surfing takes up some bandwidth, obviously) but it's constant, even if I'm not using the computer/talking to anybody/etc... I suppose that it is just gaim using up that little bit of bandwidth, though, since it is constantly updated. I guess I'm just thrown off by the extreme amount that came to over the last weekend. (I just downloaded game demos and didn't really watch any streaming videos, but maybe I'm forgetting something)

Thanks for the replies all! I'll just keep an eye on my network status for the next three days or so, until my bandwidth restriction is off, and let you all know how the usage is going.

----------

