High CPU usage & service abuse

robi

After installing it when it came out and forgetting about it until now, I noticed it was having high CPU usage in top. (20-60%)

Logging in and checking the dashboard it seems that it's being abused by clients globally and processed 14.5 million queries in the last 7 days. (mostly for pizzaseo.com)

This looks like the default install is open to the world and open to abuse.

In the /#dns settings I found the Access Settings, but since I don't have a static IP, it doesn't help to put a dynamic one there temporarily.

Is there a best practice we can configure for a private/secure by default install?

doodlemania2

@robi If you're running this on CR at home, block port 53 at your firewall from public but allow it from internal. If you are on a VPS, you'd probably want something like dyndns.org to auto update stuff I'd think?

robi

@doodlemania2 it's on a biz VPS and the abuse is severe enough to have used up 200+GB of disk space, which I need to track down now.

Backups have been failing, and who knows what else.

doodlemania2

@robi yikes! good luck sir

robi

impressive. no wonder backup failed.

-rw-r--r-- 1 root root 237376357024 Jan  1 22:23 querylog.json

human readable:

-rw-r--r-- 1 root root 222G Jan  1 22:23 querylog.json

imc67

@robi it's a serious issue you have (think of IP reputation!) but it was also mentioned before:

https://forum.cloudron.io/topic/3840/adguard-on-upcoming-cloudron-v6-ddos-reflection-amplification

And it's in the docs:

https://docs.cloudron.io/apps/adguard-home/#securing-installation

I think DDNS doesn't work because you have to add an IP in AdGuard, I have the same issue with my home connection, that's why I don't use AdGuard in my personal Cloudron. I run Pi-Hole in my home network on a Raspberry Pi.

girish

@robi Can you check what is taking so much space? Is this log files?

doodlemania2

@girish yeah, the querylog was 222gigs eeeeek!

atridad

@robi Does your VPS provider not let you block port 53? Or do you need it to be accessible externally?

thpuffin

@atrilahiji I might be wrong about this but I think port 53 needs to be used to resolve DNS, and since @robi mentioned that he installed it on a business VPS it has to be publicly accessible for it to function. If it were a homelab would this be less of an issue?

robi

@thpuffin @atrilahiji it would not be an issue because of NAT at home.

girish

@doodlemania2 I decreased the query log retention from 90 days to 7 days as the default. But depending on the use case, it can be disabled altogether in the settings file.

robi

@doodlemania2
Thanks to rclone I uploaded all 222GB to my Google Drive in less then a couple hours. (didn't time it, but expected it to be much longer.)

VPS is on a 200mbit line last time I checked, so could be under an hour.
If only we had network graph stats.