I have a VPS that keeps getting shut down because of excessive inbound or outbound traffic. I thought I had a virus on my server and with it shut down so was my email server. So I got a new VPS running clean install of Axigen Mail Server. Migrated all our emails over to it and shortly later it gets shut down again. Keep in mind, the old server I just used Postfix with Roundcube to handle emails. Not an actual email server solution like Axigen.
Here's what my hosting company says:
I've restored the VPS. Looks like excessive inbound or outbound traffic.
Thu, 05 Feb 2015 21:43:16 -0500 VPS 4273 (192.227.159.235) has 41554 conntrack sessions
Thu, 05 Feb 2015 21:43:22 -0500 VPS 4273 (192.227.159.235) has 41566 conntrack sessions
Thu, 05 Feb 2015 21:43:26 -0500 Possible DoS VPS 4273 (192.227.159.235): 170862 pps during 5 second interval
Thu, 05 Feb 2015 21:43:32 -0500 VPS 4273 (192.227.159.235) has 41499 conntrack sessions
Thu, 05 Feb 2015 21:43:32 -0500 Possible DoS VPS 4273 (192.227.159.235): 162520 pps during 5 second interval
Thu, 05 Feb 2015 21:43:36 -0500 VPS 4273 (192.227.159.235) has 41507 conntrack sessions
Thu, 05 Feb 2015 21:43:48 -0500 VPS 4273 (192.227.159.235) has 56126 conntrack sessions
Thu, 05 Feb 2015 21:43:56 -0500 SUSPENDING VPS 4273 (192.227.159.235); it has 56126 conntrack sessions
They said at one time that there was a script on MY server initiating something out there causing the inbound traffic. I can't get to any logs because as soon as they start the VPS it gets automatically shut down from excessive traffic.
ITS THAT BAD.
Anyways, I need a course of action to tell them what I can do to clean it up. If I can get SSH'd into the server, I'll block ALL traffic except SSH and try to figure it out there. But I'm not sure what to look for.
I thought it was an email someone opened on the server. They said something suspicious looking was in one of the email files. But Axigen doesnt have files for email like postfix does. I can't just go to /var/vmail/....to get to them
How sure are you that there isn't something going on with your server? There's a significant chance that it is actually your server that is the problem
Regardless, there's nothing we can really recommend other than to perform typical troubleshooting steps such as collecting logs, packet captures, etc., then looking through them with a fine-toothed comb so you can understand what is going on. It's only with hard data like this that you will be able to negotiate with your provider.
If you're unable to establish stable remote access, then shut down networking on your VPS and use your provider's out-of-band access to access the server and perform your analysis. If your provider doesn't provide OOB access, well find a new provider.