NodeWatch is an effective program that will monitor your OpenVZ nodes for abusive VPS servers. If abuse is detected the VPS server in question can be automatically suspended.
But, on OpenVZ hosts, it is possible for a single VPS server to bring down the whole node. This is achieved by using all of the resources on that node. This would slow down the service for everyone or worse, cause the whole VPS host to go offline. So, to combat this, in this article we will show you how to install Nodewatch and configure the program.
Nodewatch is not compatible with V3 Kernel or Virtuozzo 7 hosts at the time of writing this article.
First, get a free license key for Nodewatch from https://vpsantiabuse.com/. Then, use the below command to install Nodewatch.
wget http://deploy.vpsantiabuse.com/nodewatch-install.sh sudo sh nodewatch-install.sh
Next, enable netfilter=stateful or netfilter=full for each container on the node but this will require a reboot of each VPS server you enable this on.
You can use the following command to set the Netfilter to full. So, issue the below command and restart the container. Read our list of useful vzctl commands.
vzctl stop CTID vzctl set CTID --netfilter full --save
So, to configure Nodewatch, open up the Nodewatch configuration file and edit the following settings.
1- // e-mail address for alerts $admin_email = '[email protected]'; 2- / your license key, see http://vpsantiabuse.com/ $license_key = '1293819230781023'; 3- // in test mode Nodewatch will not perform suspensions and will not send SMS alerts // however, e-mail alerts will still be sent // Change this to 0 once configured and tested $testmode = 1;
For most situations, the default values in the configuration files are suitable. You can reduce the values if you find these do not work for you but as default, Nodewatch will suspend any VPS that has;
1000 concurrent SMTP connections 100 concurrent SSH connections Over 55000 conntrack sessions Over 20000 unreplied conntrack sessions
Just, uncomment the relevant lines in the nodewatch_config.php file and reduce the values as required but, if you reduce the values by to much Nodeatch will suspend containers that are actually acting legitimately.
Link NodeWatch To SolusVM
If you are using SolusVM then you can generate an API user and add this to Nodewatch. This is used to tell SolusVM that the container is disabled. So, when the customer logs into SolusVM they will see the server is disabled and they will know to contact your support team.
Now restart NodeWatch. Issue the following command then, monitor the logs to see if any VPS servers are suspended.
Watch NodeWatch Statistics
watch -n 1 cat /tmp/nodewatch_stats
Analyzing The NodeWatch Logs
NodeWatch will log everything it does to the /var/log/nodewatch folder. Organized by date each folder will contain the logs from NodeWatch and what each VPS was suspended for. In our folder we can see CTID 4257 was suspended due to SMTP abuse
We can dig further into this to see that the container had many connections on port 25 to different IPs
ipv4 2 tcp 6 119 SYN_SENT src=18.104.22.168 dst=22.214.171.124 sport=52878 dport=25 [UNREPLIED] src=126.96.36.199 dst=188.8.131.52 sport=25 dport=52878 mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 9 CLOSE src=184.108.40.206 dst=220.127.116.11 sport=57061 dport=25 src=18.104.22.168 dst=22.214.171.124 sport=25 dport=57061 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 9 CLOSE src=126.96.36.199 dst=188.8.131.52 sport=53413 dport=25 src=184.108.40.206 dst=220.127.116.11 sport=25 dport=53413 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 7 CLOSE src=18.104.22.168 dst=22.214.171.124 sport=34086 dport=25 src=126.96.36.199 dst=188.8.131.52 sport=25 dport=34086 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 299 ESTABLISHED src=184.108.40.206 dst=220.127.116.11 sport=57230 dport=25 src=18.104.22.168 dst=22.214.171.124 sport=25 dport=57230 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 8 CLOSE src=126.96.36.199 dst=188.8.131.52 sport=35565 dport=25 src=184.108.40.206 dst=220.127.116.11 sport=25 dport=35565 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 9 CLOSE src=18.104.22.168 dst=22.214.171.124 sport=35482 dport=25 src=126.96.36.199 dst=188.8.131.52 sport=25 dport=35482 [ASSURED] mark=0 secmark=0 use=2<br>ipv4 2 tcp 6 7 CLOSE src=184.108.40.206 dst=220.127.116.11 sport=53366 dport=25 src=18.104.22.168 dst=22.214.171.124 sport=25 dport=53366 [ASSURED] mark=0 secmark=0 use=2
The container is sending spam and that is why it has been restricted. When NodeWatch suspends a container it will disable it in the servers configuration file and remove the IP addresses before shutting it down. The IPs are only removed temporarily and when the container is restarted the IPs will be added back. To start a suspended server you first need to enable it with the below command
vzctl set VEID --disabled no --save
Then start the server as normal
vzctl start VEID
If the user is still sending spam using an automated program usually on a different server then the server will likely be suspended again once it’s back online. They need to clear any email queues before you release the server.
Whitelist VPS servers In NodeWatch
You can exclude VPS servers from being suspended in NodeWatch but alerts will still be sent. Just add the containers CTID to the relevant files below to prevent that server from being suspended by NodeWatch.
/nodewatch/scripts/smtp_whitelist – for smtp connections
/nodewatch/scripts/ssh_whitelist – for ssh connections
/nodewatch/scripts/conntrack_whitelist – for conntrack connections
/nodewatch/scripts/processes_whitelist – for malware processes
/nodewatch/scripts/pps_whitelist – for packet counters
You need to list each CTID on a separate line like this;
4025 4027 3854 2491
How Was This Article – Install Nodewatch On OpenVZ Node
More from Dedicated Servers
Enable Mod_RemoteIP – See Visitors Real IP address when using Cloudflare & Apache
If you are using Cloudflare on your Apache server you will always see Cloudflare IPs in your logs and not …
Fix 413 Request Entity Too Large Errors When Using NGINX
Just like Apache, NGINX imposes default limits on the size of files that can be uploaded. A 413 Request Entity …
Cloud-init Modules That Automate and Customize Deployments
Cloud-init is a popular way to automate deployments of instances in a cloud or none cloud environment. To save having …