A few random things that I have been dealing with
My Digitalocean droplet suffered recently a brute force ssh attack. Unfortunately I noticed it a couple of days after the attack had happened but luckily the act caused little harm except very high CPU usage from sshd process for a few days. I'm not sure how to really protect against such attacks (cheaply) but I decided to try out fail2ban. With fail2ban I could protect the server also against attacks towards nginx.
Installing it was simple enough and I saw it was working rather well. There were some 3K ssh login attempts per day and the iptables based port blocking reduced the amount to some hundreds. After a while though I noticed that the fail2ban stopped blocking unauthorized IPs. I took a look at fail2ban github and saw some issues with ssh regex filters (fail2ban works by monitoring logs and matching those against predefined regexes). I made some small adjustments but still no luck, it did not ban anything.
I turned on debug logs and saw lines where it said something like: IGNORE timestamp < another timestamp - findtime. I converted the timestamps to human readable format and checked those against auth.log. Those looked weird, the timestamps were way off. Then it hit me, i had recently changed the timezone of the server to the Finnish one. By quick googling around I found out that after the timestamp is updated, the syslog daemon needs to be restarted as well so the system log timestamps would match the system timezone. service rsyslog restart did the trick.
Another totally unrelated thing on the very same droplet was an issue with running a scala application as a systemd service. I ran a development version of the process simply with nohup previously but since the app was about to go to "production", i thought it would need something to keep it always up and running. I was somewhat familiar to upstart and it turned out that there were some good instructions which upstart keywords would match the systemd service files.
Writing the service file was a breeze, only a couple of lines. The problems started when I started the service. It was running fine for a couple of seconds, it printed out nicely the first few log lines to the standard output. However after the app was up (rest service was running) the service exited with success code 0. I tried modifying some of the basic configs like Type=simple and SuccessExitStatus=143 and even using sh -c to start the java process. After a while I was convinced that the problem was not in the service file but rather in the scala application startup. And indeed it was. After the rest service has started, I added a line StdIn.readLine() followed by a graceful stopping of the process. The idea is to hit enter to stop the application if it running on foreground. After I removed that line and the graceful shutdown, it was running fine as a systemd service. It seems systemd sends something to the process stdin when it is starting up / started.
tldr: Run service rsyslog restart after you have changed ubuntu timezone. Check std in reads on processes running as a systemd service.
My Digitalocean droplet suffered recently a brute force ssh attack. Unfortunately I noticed it a couple of days after the attack had happened but luckily the act caused little harm except very high CPU usage from sshd process for a few days. I'm not sure how to really protect against such attacks (cheaply) but I decided to try out fail2ban. With fail2ban I could protect the server also against attacks towards nginx.
Installing it was simple enough and I saw it was working rather well. There were some 3K ssh login attempts per day and the iptables based port blocking reduced the amount to some hundreds. After a while though I noticed that the fail2ban stopped blocking unauthorized IPs. I took a look at fail2ban github and saw some issues with ssh regex filters (fail2ban works by monitoring logs and matching those against predefined regexes). I made some small adjustments but still no luck, it did not ban anything.
I turned on debug logs and saw lines where it said something like: IGNORE timestamp < another timestamp - findtime. I converted the timestamps to human readable format and checked those against auth.log. Those looked weird, the timestamps were way off. Then it hit me, i had recently changed the timezone of the server to the Finnish one. By quick googling around I found out that after the timestamp is updated, the syslog daemon needs to be restarted as well so the system log timestamps would match the system timezone. service rsyslog restart did the trick.
Another totally unrelated thing on the very same droplet was an issue with running a scala application as a systemd service. I ran a development version of the process simply with nohup previously but since the app was about to go to "production", i thought it would need something to keep it always up and running. I was somewhat familiar to upstart and it turned out that there were some good instructions which upstart keywords would match the systemd service files.
Writing the service file was a breeze, only a couple of lines. The problems started when I started the service. It was running fine for a couple of seconds, it printed out nicely the first few log lines to the standard output. However after the app was up (rest service was running) the service exited with success code 0. I tried modifying some of the basic configs like Type=simple and SuccessExitStatus=143 and even using sh -c to start the java process. After a while I was convinced that the problem was not in the service file but rather in the scala application startup. And indeed it was. After the rest service has started, I added a line StdIn.readLine() followed by a graceful stopping of the process. The idea is to hit enter to stop the application if it running on foreground. After I removed that line and the graceful shutdown, it was running fine as a systemd service. It seems systemd sends something to the process stdin when it is starting up / started.
tldr: Run service rsyslog restart after you have changed ubuntu timezone. Check std in reads on processes running as a systemd service.
Comments
Post a Comment