I recently tried to find out the limits of my 1&1 virtual server L. The official resourse was not very conclusive about the problems I was experiencing (out of memory errors):
https://www.ionos.de/hilfe/server-cloud-infrastructure/virtual-server-linux/administration/ressourcen-limits-der-virtual-server-user-beancounters/
The root cause was out of processes, and later I apparently ran out of iptable entries.
I finally found that "cat /proc/user_beancounters" shows all the available resources and imposed limits of the Virtuozzo virtualisation. For my quite old Ubuntu 14.04 these limits were significantly lower than what is advertised on the Link above. This may be because the virtual machine was set-up before new limits have taken effect.
The limits which are most relevant to me are:
- numproc: Max. 100 processes (each thread counts, not just processes in the UNIX sense).
- numiptent: Max. 400 iptables entries. This is usually sufficient for eveb complex firewalls but becomes a problem when using fail2ban.
In the end it was sufficient to move the ssh port away from port 2222, which was attacked a lot. The attacks on the mail ports come from a smaller set of IPs. I am currently (2019-04) using 88 of 400 iptable entries.
2019-04-22
2019-04-14
Find brute-forced destination ports
Find all destination ports used by TCP brute-force attacks on a server:
zgrep firewall /var/log/syslog*|python -c "import sys;[sys.stdout.write(word + '\n') for line in sys.stdin for word in line.split() if word.startswith('DPT=')]"|sort -n -t= -k 2|uniq -c
The above assumes that you log all stray TCP packets to /var/log/syslog with the prefix 'firewall', which can be done with this iptables rule:
iptables -A INPUT -m limit --limit 200/hour --limit-burst 50 -j LOG --log-level warning --log-prefix firewall:
zgrep firewall /var/log/syslog*|python -c "import sys;[sys.stdout.write(word + '\n') for line in sys.stdin for word in line.split() if word.startswith('DPT=')]"|sort -n -t= -k 2|uniq -c
The above assumes that you log all stray TCP packets to /var/log/syslog with the prefix 'firewall', which can be done with this iptables rule:
iptables -A INPUT -m limit --limit 200/hour --limit-burst 50 -j LOG --log-level warning --log-prefix firewall:
Abonnieren
Kommentare (Atom)
