High CPU usage & service abuse
-
After installing it when it came out and forgetting about it until now, I noticed it was having high CPU usage in
top. (20-60%)Logging in and checking the dashboard it seems that it's being abused by clients globally and processed 14.5 million queries in the last 7 days. (mostly for pizzaseo.com)
This looks like the default install is open to the world and open to abuse.
In the /#dns settings I found the Access Settings, but since I don't have a static IP, it doesn't help to put a dynamic one there temporarily.
Is there a best practice we can configure for a private/secure by default install?
-
After installing it when it came out and forgetting about it until now, I noticed it was having high CPU usage in
top. (20-60%)Logging in and checking the dashboard it seems that it's being abused by clients globally and processed 14.5 million queries in the last 7 days. (mostly for pizzaseo.com)
This looks like the default install is open to the world and open to abuse.
In the /#dns settings I found the Access Settings, but since I don't have a static IP, it doesn't help to put a dynamic one there temporarily.
Is there a best practice we can configure for a private/secure by default install?
@robi If you're running this on CR at home, block port 53 at your firewall from public but allow it from internal. If you are on a VPS, you'd probably want something like dyndns.org to auto update stuff I'd think?
-
@robi If you're running this on CR at home, block port 53 at your firewall from public but allow it from internal. If you are on a VPS, you'd probably want something like dyndns.org to auto update stuff I'd think?
@doodlemania2 it's on a biz VPS and the abuse is severe enough to have used up 200+GB of disk space, which I need to track down now.
Backups have been failing, and who knows what else.
-
@doodlemania2 it's on a biz VPS and the abuse is severe enough to have used up 200+GB of disk space, which I need to track down now.
Backups have been failing, and who knows what else.
-
impressive. no wonder backup failed.-rw-r--r-- 1 root root 237376357024 Jan 1 22:23 querylog.jsonhuman readable:
-rw-r--r-- 1 root root 222G Jan 1 22:23 querylog.json -
impressive. no wonder backup failed.-rw-r--r-- 1 root root 237376357024 Jan 1 22:23 querylog.jsonhuman readable:
-rw-r--r-- 1 root root 222G Jan 1 22:23 querylog.json@robi it's a serious issue you have (think of IP reputation!) but it was also mentioned before:
https://forum.cloudron.io/topic/3840/adguard-on-upcoming-cloudron-v6-ddos-reflection-amplification
And it's in the docs:
https://docs.cloudron.io/apps/adguard-home/#securing-installation
I think DDNS doesn't work because you have to add an IP in AdGuard, I have the same issue with my home connection, that's why I don't use AdGuard in my personal Cloudron. I run Pi-Hole in my home network on a Raspberry Pi.
-
impressive. no wonder backup failed.-rw-r--r-- 1 root root 237376357024 Jan 1 22:23 querylog.jsonhuman readable:
-rw-r--r-- 1 root root 222G Jan 1 22:23 querylog.json -
@girish yeah, the querylog was 222gigs eeeeek!
-
@doodlemania2 it's on a biz VPS and the abuse is severe enough to have used up 200+GB of disk space, which I need to track down now.
Backups have been failing, and who knows what else.
@robi Does your VPS provider not let you block port 53? Or do you need it to be accessible externally?
-
@robi Does your VPS provider not let you block port 53? Or do you need it to be accessible externally?
@atrilahiji I might be wrong about this but I think port 53 needs to be used to resolve DNS, and since @robi mentioned that he installed it on a business VPS it has to be publicly accessible for it to function. If it were a homelab would this be less of an issue?
-
@atrilahiji I might be wrong about this but I think port 53 needs to be used to resolve DNS, and since @robi mentioned that he installed it on a business VPS it has to be publicly accessible for it to function. If it were a homelab would this be less of an issue?
-
@girish yeah, the querylog was 222gigs eeeeek!
@doodlemania2 I decreased the query log retention from 90 days to 7 days as the default. But depending on the use case, it can be disabled altogether in the settings file.
-
@girish yeah, the querylog was 222gigs eeeeek!
@doodlemania2
Thanks torcloneI uploaded all 222GB to my Google Drive in less then a couple hours. (didn't time it, but expected it to be much longer.)VPS is on a 200mbit line last time I checked, so could be under an hour.
If only we had network graph stats.
