近期发现服务器的网速有些异常:
与上月的情况如出一辙,上月1.5T的流量在10天内消耗一空,这次我看还有这个架势,赶紧及时制止。查看网速的方法有好几种,分别适合不同的情况,下面分别介绍下。
首先用sudo nethogs命令,查看是哪个进程在占用网速:
主要看SENT就可以,可以看到,网速基本上都被116.198.58.85这个IP占用了,然后,再看看这个IP是怎么被占用的:
(base) root@ubuntu:~# sudo lsof -i | grep TCP fwupdmgr 141983 fwupd-refresh 13u IPv4 853845216 0t0 TCP ubuntu:34840->199.232.150.49:https (ESTABLISHED) docker-pr 1822301 root 7u IPv4 12795464 0t0 TCP localhost:8090 (LISTEN) docker-pr 1822387 root 7u IPv4 12795534 0t0 TCP localhost:mysql (LISTEN) docker-pr 1861219 root 7u IPv4 13136939 0t0 TCP *:27017 (LISTEN) docker-pr 1861226 root 7u IPv6 13136940 0t0 TCP *:27017 (LISTEN) docker-pr 1861588 root 7u IPv4 13137921 0t0 TCP *:tproxy (LISTEN) docker-pr 1861596 root 7u IPv6 13137922 0t0 TCP *:tproxy (LISTEN) docker-pr 1862685 root 7u IPv4 13143207 0t0 TCP *:8089 (LISTEN) docker-pr 1862692 root 7u IPv6 13143208 0t0 TCP *:8089 (LISTEN) openresty 1911635 root 3u IPv4 901605402 0t0 TCP ubuntu:https->116.198.58.89:55194 (ESTABLISHED) openresty 1911635 root 10u IPv4 901580785 0t0 TCP ubuntu:https->116.198.48.29:28678 (ESTABLISHED)
可以看到,主要是openresty这个进程,这是1panel默认使用的服务,由此可以了然,接着查看此IP的连接:
(base) root@ubuntu:~# sudo tcpdump -i any host 116.198.58.89 -nn -tttt tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 2025-10-28 13:42:42.418321 ens3 In IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [SEW], seq 2756256314, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 11], length 0 2025-10-28 13:42:42.418419 ens3 Out IP 172.16.0.10.80 > 116.198.58.89.24606: Flags [S.], seq 2007984623, ack 2756256315, win 64860, options [mss 1410,nop,nop,sackOK,nop,wscale 7], length 0 2025-10-28 13:42:42.424221 ens3 In IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [.], ack 1, win 15, length 0 2025-10-28 13:42:42.424221 ens3 In IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [P.], seq 1:101, ack 1, win 15, length 100: HTTP: HEAD /assets/img/favicon.png HTTP/1.1 2025-10-28 13:42:42.424282 ens3 Out IP 172.16.0.10.80 > 116.198.58.89.24606: Flags [.], ack 101, win 506, length 0 2025-10-28 13:42:42.424426 ens3 Out IP 172.16.0.10.80 > 116.198.58.89.24606: Flags [P.], seq 1:268, ack 101, win 506, length 267: HTTP: HTTP/1.1 301 Moved Permanently 2025-10-28 13:42:42.430094 ens3 In IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [.], ack 268, win 15, length 0 2025-10-28 13:42:42.451844 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [SEW], seq 1099166444, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 11], length 0 2025-10-28 13:42:42.451881 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [S.], seq 3240740966, ack 1099166445, win 64860, options [mss 1410,nop,nop,sackOK,nop,wscale 7], length 0 2025-10-28 13:42:42.457619 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 1, win 15, length 0 2025-10-28 13:42:42.457817 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 1:286, ack 1, win 15, length 285 2025-10-28 13:42:42.457831 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], ack 286, win 505, length 0 2025-10-28 13:42:42.458951 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], seq 1:1411, ack 286, win 505, length 1410 2025-10-28 13:42:42.458954 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], seq 1411:2821, ack 286, win 505, length 1410 2025-10-28 13:42:42.458955 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 2821:3170, ack 286, win 505, length 349 2025-10-28 13:42:42.464700 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 1411, win 16, length 0 2025-10-28 13:42:42.464700 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 3170, win 18, length 0 2025-10-28 13:42:42.468710 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 286:350, ack 3170, win 18, length 64 2025-10-28 13:42:42.468742 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 350:436, ack 3170, win 18, length 86 2025-10-28 13:42:42.468807 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 436:560, ack 3170, win 18, length 124 2025-10-28 13:42:42.468884 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 3170:3457, ack 560, win 503, length 287 2025-10-28 13:42:42.468928 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 3457:3744, ack 560, win 503, length 287 2025-10-28 13:42:42.469229 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 3744:3828, ack 560, win 503, length 84 2025-10-28 13:42:42.474692 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 3744, win 21, length 0 2025-10-28 13:42:42.474978 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 560:591, ack 3828, win 21, length 31 2025-10-28 13:42:42.474978 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 591:615, ack 3828, win 21, length 24 2025-10-28 13:42:42.475026 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], ack 615, win 503, length 0 2025-10-28 13:42:42.475038 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [F.], seq 615, ack 3828, win 21, length 0 2025-10-28 13:42:42.475078 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [F.], seq 3828, ack 616, win 503, length 0 2025-10-28 13:42:42.476364 ens3 In IP 116.198.58.89.49640 > 172.16.0.10.443: Flags [SEW], seq 1608675265, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 11], length 0 2025-10-28 13:42:42.476397 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49640: Flags [S.], seq 2306403635, ack 1608675266, win 64860, options [mss 1410,nop,nop,sackOK,nop,wscale 7], length 0 2025-10-28 13:42:42.480823 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 3829, win 21, length 0
可以发现,此獠在短时间内大量的快速访问服务器,握手之后立即FIN,因此,直接拉黑名单即可。
sudo ufw deny from 116.198.58.89
后续据我观察,整个116.198.58.0/20和116.198.48.0/20 IP组都存在这个问题,可以断定是垃圾IP,直接整组屏蔽掉即可。
sudo iotop:
效果非常明显:
