Hi,

I know this is quite impossible to diagnose from afar, but I came across the posting from lemmy.world admins talking about the attacks they are facing where the database will get overwhelmed and the server doesn’t respond anymore. And something similar seemed to have happened to my own servers.

Now, I’m running my own self-hosted Lemmy and Mastodon instances (on 2 seperate VPS) and had them become completely unresponsive yesterday. Mastodon and Lemmy both showed the “there is an internal/database error” message and my other services (Nextcloud and Synapse) didn’t load or respond.

Login into my VPS console showed me that both servers ran at 100% CPU load since a couple of hours. I can’t currently SSH into these servers, as I’m away for a couple of days and forgot to bring my private SSH key on my Laptop. So, for now I just switched the servers off.

Anyway, the main question is: what should I look at in troubleshooting when I’m back home? I’m a beginner in selfhosting and I run these instances just for myself and don’t mind if I’d have to roll them back a couple days (I have backups). But I would like to learn from this and get better at running my own services.

For reference: I run everything in docker containers behind Nginx Proxy Manager as my reverse proxy. I have only ports 80, 443 and 22 open to the outside. I have fail2ban set up. The Mastodon and Lemmy instances are not open for registration and just have 2 users each (admin + my account).

  • danA
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    To avoid automated scans you should also change the port to a higher number, maybe something above 10,000.

    This doesn’t really work any more. Port scanning is trivial with IPv4, and tools like masscan can scan the entire IPv4 internet (all IPv4 addresses) in less than 15 minutes.

    • tmjaea@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Very interesting, thanks for sharing!

      I know it’s just anecdotal evidence, however fail2ban in my one machine which does need ssh on port 22 to the open internet bans a lot of IPs every hour. All other ones with ssh on a higher port do not. Also their auth log does not show any failed attempts.

      • danA
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yeah it’s probably script kiddies that are only trying port 22 because it’s easier than port scanning.

        Make sure you disable PasswordAuthentication in the OpenSSH configuration (/etc/ssh/sshd_config on Debian at least). People won’t be able to try to brute force their way in if the only way in is without a password (ie using an SSH key) :)