SSH攻击会在10小时内耗尽4GB。可能？

我被警告说我的服务器超出了传输限制。我想我的Tor节点很受欢迎，所以我选择在本月禁用它（这不是社区的最佳选择，但我需要关闭）。然后我注意到服务器今晚传输了大约4GB。我已经使用Awstats检查了Apache日志，没有相关的流量（并且我在那里没有托管如此受欢迎的网站）。我检查了邮件日志，没有人试图发送垃圾。我检查了messages日志，发现其中有很多

Apr 29 10:17:53 marcus sshd[9281]: Did not receive identification string from 85.170.189.156
Apr 29 10:18:07 marcus sshd[9283]: Did not receive identification string from 86.208.123.132
Apr 29 10:18:24 marcus sshd[9298]: Did not receive identification string from 85.170.189.156
Apr 29 10:18:39 marcus sshd[9303]: Did not receive identification string from 86.208.123.132
Apr 29 10:18:56 marcus sshd[9306]: Did not receive identification string from 85.170.189.156
Apr 29 10:19:11 marcus sshd[9309]: Did not receive identification string from 86.208.123.132
Apr 29 10:19:18 marcus sshd[9312]: Did not receive identification string from 101.98.178.92
Apr 29 10:19:27 marcus sshd[9314]: Did not receive identification string from 85.170.189.156
Apr 29 10:19:41 marcus sshd[9317]: Did not receive identification string from 86.208.123.132
Apr 29 10:20:01 marcus sshd[9321]: Did not receive identification string from 85.170.189.156
Apr 29 10:20:13 marcus sshd[9324]: Did not receive identification string from 86.208.123.132
Apr 29 10:20:32 marcus sshd[9327]: Did not receive identification string from 85.170.189.156
Apr 29 10:20:48 marcus sshd[9331]: Did not receive identification string from 86.208.123.132
Apr 29 10:21:07 marcus sshd[9336]: Did not receive identification string from 85.170.189.156
Apr 29 10:21:20 marcus sshd[9338]: Did not receive identification string from 86.208.123.132
Apr 29 10:21:35 marcus sshd[9341]: Did not receive identification string from 85.170.189.156
Apr 29 10:21:51 marcus sshd[9344]: Did not receive identification string from 86.208.123.132
Apr 29 10:22:06 marcus sshd[9349]: Did not receive identification string from 85.170.189.156
Apr 29 10:22:23 marcus sshd[9353]: Did not receive identification string from 86.208.123.132
Apr 29 10:22:39 marcus sshd[9359]: Did not receive identification string from 85.170.189.156
Apr 29 10:22:54 marcus sshd[9361]: Did not receive identification string from 86.208.123.132
Apr 29 10:23:10 marcus sshd[9367]: Did not receive identification string from 85.170.189.156
Apr 29 10:23:29 marcus sshd[9369]: Did not receive identification string from 86.208.123.132
Apr 29 10:23:45 marcus sshd[9375]: Did not receive identification string from 85.170.189.156
Apr 29 10:24:10 marcus sshd[9387]: Did not receive identification string from 86.208.123.132
Apr 29 10:24:16 marcus sshd[9388]: Did not receive identification string from 85.170.189.156

僵尸程序每隔几秒钟就会尝试入侵我的SSH，这是不可能的，因为我需要pubkey身份验证。我的问题是：这种流量以这种频率在连续10个小时的攻击中会消耗4GB（假设3.5）吗？

我已经更改了SSH端口并停止了这些攻击，但不确定网络消耗情况。我没有服务失控运行-我的防火墙有点限制性-或与滥用P2P或其他内容的人共享服务器。我担心的是每月低于400GB。

有小费吗？

可以使用4 GB，但考虑到攻击速度，这种可能性很小。我建议安装OSSEC，它可以检测到尝试中断并在一段时间内自动阻止IP。

如果这些是造成带宽使用的原因，那么在您处理系统上的带宽时，带宽已经被消耗掉了。您可以使用iptraf之类的工具来了解每个接口/端口上发生的情况，然后您可以根据事实采取适当的措施。

不，每秒尝试一次的连接本身在十小时内不会增加到4GB。您是否认为每秒可以收到一个很小的数据包，就可以在10小时内下载4GB的文件？一个小时中有3600秒，因此，如果十秒钟内每秒获得1千字节，则为36000 Kb，即36兆字节。

您的带宽是根据从提供商到您的外部路由器的传输管道（而不是到达服务器的传输管道）测量的。您必须查看未到达服务器的废话，这是大多数外部设备都拒绝的。

至于可以到达服务器的内容，则不能依赖应用程序日志。甚至被本地防火墙静默丢弃的数据包都是带宽。接口状态（用表示ifconfig）将告诉您Tx / Rx字节。