-2

Is it safe to use reboot command to reboot VPS every night? I'm under attack everyday for ~30 mins and I'm pretty sure if they could attack, they would do it non-stop.

I contacted hosting provider, they told they don't see anything suspicious and nobody is attacking me. But WinSCP/Putty commands execution are being laggy. I'm stucked in corner, can't identify what attack type I'm on. Would not rebooting help?

Luis
  • 3
  • 1
  • 2
    Rebooting won't hurt, but it is not a viable solution. You need to investigate to see what is going on and then fix that problem. – EEAA Oct 27 '15 at 12:39
  • 5
    Not every kind of slow service is an attack. Check your server metrics, CPU usage, memory usage, IOwait, etc. – Craig Watson Oct 27 '15 at 12:40
  • 1
    Also it's possible that the VPS provider does overselling and during that 30 minutes the hypervisor is under stress causing all VPSes to be sluggish. – Cha0s Oct 27 '15 at 13:07
  • If you experience the problems every day at the same time you should check your cronjobs. – Henrik Pingel Oct 27 '15 at 13:33
  • Side note: use "shutdown -r now" instead of "reboot" when you reboot a server, unless you can't help it. – David W Oct 27 '15 at 13:54
  • @DavidW Why shouldn't you use `reboot`? – Aaron Copley Oct 27 '15 at 16:42
  • "reboot" doesn't shut services down gracefully. It's as if you pull the plug on the server (as far as the software applications are concerned, such as MySQL), whereas "shutdown -r now" goes through the proper steps to gracefully stop all processes. – David W Oct 27 '15 at 17:04
  • 1
    I guess that is a Debian thing? Thanks for the warning. I will keep that in mind. On Red Hat, `reboot` actually calls `shutdown -r now` (unless you use `--force`.) – Aaron Copley Oct 27 '15 at 17:35
  • Why did I get -2? I searched on serverfault.com and there isn't this type of question... Are you sure about shutdown -r now? I tried googling and found -r Reboot after shutdown. So it's same just as reboot, isn't it? (http://www.computerhope.com/unix/ushutdow.htm) – Luis Oct 27 '15 at 17:49

2 Answers2

4

To answer the question, it is safe to reboot a typical Linux server nightly unless you have very fragile services, or your business case can't tolerate the downtime of a reboot. A VPS server will typically be the same machine when it comes back up, though a cloud server (e.g., AWS, GCE) may need to be reconfigured.

As commenters have stated, however, you have not provided very much information that is indicative of an attack. Though you could be under attack daily for 30 minutes, it seems unlikely. Check your log files and system metrics (e.g., load, memory and swap usage, network latency from your client) during the periods of slowness. It might also be worthwhile to check cron during that time in case a job is running that's causing the slowness.

If you are being attacked, rebooting is very unlikely to help.

James
  • 51
  • 2
  • They are always attacking me till my Java application crash, my java application use MySQL to store/get data. Is it possible some kind to freeze MySQL work if it's running in public mode? What information, would I need to provide to identify vulnerability? – Luis Oct 27 '15 at 17:54
  • You should look for unusual activity in the logs in your application and in your MySQL server if you suspect they are the targets of the attack. Unfortunately, the question is too broad to provide a specific answer. What kind of attack do you think you are under? Why is it only 30 minutes per day? The only reason you think you're getting attacked as far as I can see, is that you experience intermittent performance problems and you've been threatened. You need to find some unusual activity or traffic patterns to be more sure, and "SSH is periodically slow" doesn't really cut it. – James Oct 27 '15 at 20:42
1

How, exactly, you've discovered that you're being attacked? There are great tools to take measures like fail2ban. If you've discovered by logs that you're suffering DoS/DDoS/Brute-Force attacks, you can configure it to analyse your logs and create iptables rules to block the attacking hosts.

EDIT: You can also use the iptables "recent" module, like this:

iptables -t filter -I INPUT -p all --dport 25565 -i eth0 -m state --state NEW -m recent --set
iptables -t filter -I INPUT -p all --dport 25565 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP

That will allow just 5 hits in your 25565 port per minute. Of course, you'll have to adjust it to your needs, since I don't know how your application works in the network...

EDIT: Here's how you log connections with iptables to your MySQL service:

iptables -t filter -I INPUT -p all --dport 3306 -m state --state NEW -j LOG --log-prefix "MySQL connection: " --log-level info

Logs will be shown in your /var/log/syslog file. You can grep it to filter just what matters to you like this:

tail -f /var/log/syslog | grep "MySQL connection"

Also, you can use this command to see how many connections a host is maintaining to your VPS:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Hope this helps!

Stefano Martins
  • 1,221
  • 8
  • 10
  • Group of people threaten me and now it's happening. Java application is running 25565 port. It use MySQL server to store/get data, MySQL is running public. May it be I'm getting flooded/ddosed MySQL port? When Java application freeze from htop I see CPU usage is at 0%, ssh commands become slower, laggy. But how can I know, what commands would help me? Going to install fail2ban (https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-debian-7), but I'm not sure how to configure it. What would you suggest me to do? – Luis Oct 27 '15 at 16:05
  • If your MySQL service is listening in all your addresses, configure it to listen only for requests in localhost. You can do it at the /etc/mysql/my.cnf file (usually). From what you've said, fail2ban will only work for you if you log the requests with iptables and tell fail2ban to read it for you. These links can also help you out: http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/ http://devconf.cz/filebrowser/download/374 https://forums.digitalpoint.com/threads/ddos-protection-script-for-iptables.1031456/ – Stefano Martins Oct 27 '15 at 16:21
  • But how can I identify if they are flooding MySQL server? Is this even possible case? Flooding MySQL server port result in Java application crash due to overload, when it can't make connections, is this possible? – Luis Oct 27 '15 at 16:56
  • Just added more info to my answer. – Stefano Martins Oct 27 '15 at 17:15
  • I tried command to execute command you provided iptables -t filter -I INPUT -p all --dport 3306 -m state --state NEW -j LOG --log-prefix "MySQL connection: " --log-level info. And I got error: iptables v1.4.14: unknown option "--dport" Try `iptables -h' or 'iptables --help' for more information. – Luis Oct 27 '15 at 18:01
  • Try this: `-p tcp --dport 3306`. – Stefano Martins Oct 27 '15 at 18:21
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/30809/discussion-between-luis-and-stefano-martins). – Luis Oct 28 '15 at 09:02