madargon,
@madargon@is-a.cat avatar

My usual amount of hate :blobcat_amused:​
Few weeks ago I had spam wave on my mail from my Zabbix, about high load. Firstly I shrugged it off as it is low resources VPS with too many services, I kind of expected this. One day I checked it for curiosity and found it was mainly openssl process eating my resources. I restarted service, everything looked good.
Some time passed, yesterday I was doing random things on my server. Checked without any particular reason and saw it again. This time I was more irritated and disabled service completely. I didn't use it on "production" anyway.
I am not sure if it was normal. Maybe openssl docs tell the truth and it is not a good way to run it long-term?
BTW what the hell am I doing with my life?!

tek_dmn,
@tek_dmn@mastodon.tekdmn.me avatar

@madargon Strange, how are you having it set up? I've not gotten alerts from it before and I use RSA-4096 keys.

https://paste.tdstoragebay.com/PgrxU6

that's the actual generation script, there's a second component that loops over them again (inefficient, I'm working on it) that'll parse out the "Next update" line to re-schedule another round when that timer fires.

madargon,
@madargon@is-a.cat avatar

@tek_dmn It looks like you are on the opposite side if I understand it well. Do you send requests to external responder?
I am my own CA and I set up responder this way:

openssl ocsp -port 8801 -index /home/user/resp/index.txt -CA /home/user/resp/internal.pem -rkey /home/user/resp/ocsp-resp.key.pem -rsigner /home/user/resp/ocsp.pem -ignore_err

It is constantly listening service. Responder key is RSA-2048, not sure if it matters.
Problems probably started after last Debian update, to latest stable version. Or something really sent requests to this port? It was systemd service so I have logs. It looks like there are constant streams of requests it couldn't handle. Automated attack or simply web crawlers touching this port? Maybe I should add this to robots.txt or something like this?

tek_dmn,
@tek_dmn@mastodon.tekdmn.me avatar

@madargon Oh, that's the responder itself. Okay. The key would make a difference because OCSP responses, if I recall, are signed, so each response does use some CPU time for the signature, the larger the key, the more CPU.

robots.txt likely wouldn't affect most things, probably automated scanning. This is where something like fail2ban can use used to start blocking IPs that constantly give it malformed requests.

thindil,

@madargon @tek_dmn Probably automated attack. My IDS usually blocks automatic ports knocking once per week. And about automated brute force flood attacks I even don't want to talk. 😀 Old admins hint: always close all ports which are not used. It can really save your server resources. And less headache. 😉

  • All
  • Subscribed
  • Moderated
  • Favorites
  • selfhosted
  • DreamBathrooms
  • ngwrru68w68
  • modclub
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • mdbf
  • GTA5RPClips
  • megavids
  • tacticalgear
  • normalnudes
  • tester
  • osvaldo12
  • everett
  • cubers
  • ethstaker
  • anitta
  • Leos
  • cisconetworking
  • provamag3
  • JUstTest
  • lostlight
  • All magazines
    •