Install Nodewatch On OpenVZ Host

NodeWatch is an effective program that will monitor your OpenVZ nodes for abusive VPS servers. If abuse is detected the VPS server in question can be automatically suspended.

But, on OpenVZ hosts, it is possible for a single VPS server to bring down the whole node. This is achieved by using all of the resources on that node. This would slow down the service for everyone or worse, cause the whole VPS host to go offline. So, to combat this, in this article we will show you how to install Nodewatch and configure the program.

Nodewatch is not compatible with V3 Kernel or Virtuozzo 7 hosts at the time of writing this article.

Install Nodewatch

First, get a free license key for Nodewatch from https://vpsantiabuse.com/. Then, use the below command to install Nodewatch.

wget http://deploy.vpsantiabuse.com/nodewatch-install.sh
sudo sh nodewatch-install.sh

Next, enable netfilter=stateful or netfilter=full for each container on the node but this will require a reboot of each VPS server you enable this on.

You can use the following command to set the Netfilter to full. So, issue the below command and restart the container. Read our list of useful vzctl commands.

vzctl stop CTID
vzctl set CTID --netfilter full --save

Configure Nodewatch

So, to configure Nodewatch, open up the Nodewatch configuration file and edit the following settings.

nano /nodewatch/scripts/nodewatch_config.php

1- // e-mail address for alerts
$admin_email = '[email protected]';

2- / your license key, see http://vpsantiabuse.com/
$license_key = '1293819230781023';

3- // in test mode Nodewatch will not perform suspensions and will not send SMS alerts
// however, e-mail alerts will still be sent
// Change this to 0 once configured and tested
$testmode = 1;

For most situations, the default values in the configuration files are suitable. You can reduce the values if you find these do not work for you but as default, Nodewatch will suspend any VPS that has;

1000 concurrent SMTP connections
100 concurrent SSH connections
Over 55000 conntrack sessions
Over 20000 unreplied conntrack sessions

Just, uncomment the relevant lines in the nodewatch_config.php file and reduce the values as required but, if you reduce the values by to much Nodeatch will suspend containers that are actually acting legitimately.

Link NodeWatch To SolusVM

If you are using SolusVM then you can generate an API user and add this to Nodewatch. This is used to tell SolusVM that the container is disabled. So, when the customer logs into SolusVM they will see the server is disabled and they will know to contact your support team.

Now restart NodeWatch. Issue the following command then, monitor the logs to see if any VPS servers are suspended.

Restart NodeWatch

/nodewatch/scripts/nodewatch_restart.sh

Watch NodeWatch Statistics

watch -n 1 cat /tmp/nodewatch_stats

Analyzing The NodeWatch Logs

NodeWatch will log everything it does to the /var/log/nodewatch folder. Organized by date each folder will contain the logs from NodeWatch and what each VPS was suspended for. In our folder we can see CTID 4257 was suspended due to SMTP abuse

10.54.29_4257_suspend_smtp

We can dig further into this to see that the container had many connections on port 25 to different IPs

ipv4 2 tcp 6 119 SYN_SENT src=85.50.201.180 dst=108.177.15.26 sport=52878 dport=25 [UNREPLIED] src=108.177.15.26 dst=85.10.201.180 sport=25 dport=52878 mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 9 CLOSE src=85.10.206.180 dst=108.177.15.26 sport=57061 dport=25 src=108.177.15.26 dst=85.10.206.180 sport=25 dport=57061 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 9 CLOSE src=85.10.201.180 dst=108.177.15.26 sport=53413 dport=25 src=108.177.15.26 dst=85.10.206.180 sport=25 dport=53413 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 7 CLOSE src=85.10.201.180 dst=108.177.15.26 sport=34086 dport=25 src=108.177.15.26 dst=85.10.206.180 sport=25 dport=34086 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 299 ESTABLISHED src=85.10.201.180 dst=108.177.15.26 sport=57230 dport=25 src=108.177.15.26 dst=85.10.206.180 sport=25 dport=57230 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 8 CLOSE src=85.10.206.180 dst=108.177.15.26 sport=35565 dport=25 src=108.177.15.26 dst=85.10.206.180 sport=25 dport=35565 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 9 CLOSE src=85.10.202.180 dst=108.177.15.26 sport=35482 dport=25 src=108.177.15.26 dst=85.10.206.180 sport=25 dport=35482 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 7 CLOSE src=85.10.206.180 dst=108.177.15.26 sport=53366 dport=25 src=108.177.15.26 dst=85.10.206.180 sport=25 dport=53366 [ASSURED] mark=0 secmark=0 use=2

The container is sending spam and that is why it has been restricted. When NodeWatch suspends a container it will disable it in the servers configuration file and remove the IP addresses before shutting it down. The IPs are only removed temporarily and when the container is restarted the IPs will be added back. To start a suspended server you first need to enable it with the below command

vzctl set VEID --disabled no --save

Then start the server as normal

vzctl start VEID

If the user is still sending spam using an automated program usually on a different server then the server will likely be suspended again once it’s back online. They need to clear any email queues before you release the server.

Whitelist VPS servers In NodeWatch

You can exclude VPS servers from being suspended in NodeWatch but alerts will still be sent. Just add the containers CTID to the relevant files below to prevent that server from being suspended by NodeWatch.

/nodewatch/scripts/smtp_whitelist – for smtp connections

/nodewatch/scripts/ssh_whitelist – for ssh connections

/nodewatch/scripts/conntrack_whitelist – for conntrack connections

/nodewatch/scripts/processes_whitelist – for malware processes

/nodewatch/scripts/pps_whitelist – for packet counters

You need to list each CTID on a separate line like this;

4025
4027
3854
2491

How Was This Article – Install Nodewatch On OpenVZ Node

More from Dedicated Servers

Enable Mod_RemoteIP – See Visitors Real IP address when using Cloudflare & Apache

Posted On July 30, 2022 F2H.Cloud 0

If you are using Cloudflare on your Apache server you will always see Cloudflare IPs in your logs and not …

Fix 413 Request Entity Too Large Errors When Using NGINX

Posted On July 12, 2022 F2H.Cloud 0

Just like Apache, NGINX imposes default limits on the size of files that can be uploaded. A 413 Request Entity …

Cloud-init Modules That Automate and Customize Deployments

Posted On June 29, 2022 F2H.Cloud 0

Cloud-init is a popular way to automate deployments of instances in a cloud or none cloud environment. To save having …

Editor Picks

Compatible OS Versions – Linux KVM NVMe VPS

August 6, 2020 0

How To WordPress Prevent Website Hacks

January 8, 2020 0

Set up a website on an Ubuntu using Apache Virtual Hosts

January 30, 2019 0

Create Docker Container And The Basic Docker Commands

September 14, 2018 1