High CPU usage & service abuse

robi

After installing it when it came out and forgetting about it until now, I noticed it was having high CPU usage in top. (20-60%)

Logging in and checking the dashboard it seems that it's being abused by clients globally and processed 14.5 million queries in the last 7 days. (mostly for pizzaseo.com)

This looks like the default install is open to the world and open to abuse.

In the /#dns settings I found the Access Settings, but since I don't have a static IP, it doesn't help to put a dynamic one there temporarily.

Is there a best practice we can configure for a private/secure by default install?

doodlemania2

@robi If you're running this on CR at home, block port 53 at your firewall from public but allow it from internal. If you are on a VPS, you'd probably want something like dyndns.org to auto update stuff I'd think?

robi

@doodlemania2 it's on a biz VPS and the abuse is severe enough to have used up 200+GB of disk space, which I need to track down now.

Backups have been failing, and who knows what else.

doodlemania2

@robi yikes! good luck sir

robi

impressive. no wonder backup failed.

-rw-r--r-- 1 root root 237376357024 Jan  1 22:23 querylog.json

human readable:

-rw-r--r-- 1 root root 222G Jan  1 22:23 querylog.json

imc67

@robi it's a serious issue you have (think of IP reputation!) but it was also mentioned before:

https://forum.cloudron.io/topic/3840/adguard-on-upcoming-cloudron-v6-ddos-reflection-amplification

And it's in the docs:

https://docs.cloudron.io/apps/adguard-home/#securing-installation

I think DDNS doesn't work because you have to add an IP in AdGuard, I have the same issue with my home connection, that's why I don't use AdGuard in my personal Cloudron. I run Pi-Hole in my home network on a Raspberry Pi.

girish

@robi Can you check what is taking so much space? Is this log files?

doodlemania2

@girish yeah, the querylog was 222gigs eeeeek!

atridad

@robi Does your VPS provider not let you block port 53? Or do you need it to be accessible externally?

thpuffin

@atrilahiji I might be wrong about this but I think port 53 needs to be used to resolve DNS, and since @robi mentioned that he installed it on a business VPS it has to be publicly accessible for it to function. If it were a homelab would this be less of an issue?

robi

@thpuffin @atrilahiji it would not be an issue because of NAT at home.

girish

@doodlemania2 I decreased the query log retention from 90 days to 7 days as the default. But depending on the use case, it can be disabled altogether in the settings file.

robi

@doodlemania2
Thanks to rclone I uploaded all 222GB to my Google Drive in less then a couple hours. (didn't time it, but expected it to be much longer.)

VPS is on a 200mbit line last time I checked, so could be under an hour.
If only we had network graph stats.

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

High CPU usage & service abuse