[BALUG-Admin] much better now: Re: /var space issues on balug VM, almost certainly from Internet miscreants & their bots

Michael Paoli Michael.Paoli@cal.berkeley.edu
Sun Apr 25 11:30:18 UTC 2021 

So ... much better now.  :-)
Still more to do, but it's at least "better enough" - things are quite in
operation again.
I did stop SMTP (exim4) on the balug Virtual Machine (VM) host for a
while while dealing with the problem (roughly about 24 hours or so).
But at this point, things are back in "normal" operation ... and even
better now!  (At least for the most part).  E.g. ...

And, now with ye olde crufty eximconfig out of the way, which has been
doing some of the anti-spam, some drain bamaged anti-spam it had that
was causing issues with legitimate mail, is probably quite gone now.
E.g., mailed commands to mailman can now be done using just the
Subject: header
and with an empty body - and that now works fine.  Whereas earlier,
the eximconfig configuration would mostly reject emails with an
empty body as spam.  So, I'll also be updating configurations to
take out text regarding the workaround for that (include a body with just
end
in it) - as that's no longer needed at all.

So, yeah, drain bamaged anti-spam ... I recall many moons ago, Rick Moen
sent an email which had a http or https url which ended in
linuxmafia.com ... probably just https://linuxmafia.com
Well, silly rules in eximconfig would look at that and essentially says,
oh my gosh, that's a URL to a .COM executable file, must protect those
happless Microsoft Windows/DOS users from that, and can't allow that
thorough, it's probably some malware binary anyway.
Well, anyway, at this point shouldn't be getting tripped up by stuff  
like that.

Anyway, lots more to do, but the present is "better enough" to (literally) run
with it (currently running).  And, will make further improvements from that
base.

> From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
> Subject: /var space issues on balug VM, almost certainly from  
> Internet miscreants & their bots
> Date: Fri, 23 Apr 2021 23:30:52 -0700

> /var space issues on balug VM, almost certainly from Internet  
> miscreants & their bots
>
> So ... bit more background on this below,
> and see also wiki page:
> https://www.wiki.balug.org/wiki/doku.php?id=system:annoyances
>
> I'll likely have the more detailed analysis/summary/progress
> there - including also history of the wiki page.
>
> I'll likely post more to
> BALUG-Admin <balug-admin@lists.balug.org>
> when it's more-or-less resloved ... or other major or possibly
> significant developments/findings/changes.
>
> Anyway, feel free to ask/discuss on BALUG-Admin if you may wish (or toss
> about ideas/suggestions/questions/whatever).
> Anyway, I thought the list traffic would be more fitting for
> BALUG-Admin than BALUG-Talk, so ... pointing that discussion
> to here ... also linked (notably on wiki page) to the earlier,
> if one wants to catch up on reading that (much or possibly all of which,
> might also be captured below).
>
> references/excerpts:
>
>> From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
>> Subject: -->BALUG-Admin Re: [BALUG-Talk] Possible solution of  
>> blankness or editing outline-only on BALUG DokuWiki?
>> Date: Fri, 23 Apr 2021 21:40:57 -0700
>
>> I'm going to suggest taking this discussion to the
>> BALUG-Admin <BALUG-Admin@lists.balug.org>
>> https://lists.balug.org/cgi-bin/mailman/listinfo/balug-admin
>> list, as,
>> though the matter does involved Linux somewhat generally, it's much
>> more specific and relevant to BALUG and the specific inner
>> workings thereof.  So, expect my next update and further communications
>> on the matter to be on the BALUG-Admin list, and I'll likely start  
>> it off with
>> latest update(s) and some background references/links on the  
>> matter, at least
>> as of late.
>>
>> Also ...
>> dates, lists, number of members:
>> YYYY-MM-DD announce talk admin
>> 2021-04-01      832  259    35
>> https://lists.balug.org/pipermail/balug-admin/2021-April/001046.html
>> I'm guestmating probably not around 259 subscribers are that interested
>> in these particularly details ... but quite possibly closer to about
>> 35 are ... or would be.
>> I may well also put up a wiki page regarding findings/developments ...
>> or maybe update an older one if such suitable wiki page already exists.
>>
>> Anyway, I still have some 'work' to do ...
>> # date -Iseconds && df -h /var
>> 2021-04-24T04:39:59+00:00
>> Filesystem             Size  Used Avail Use% Mounted on
>> /dev/mapper/balug-var  6.4G  5.9G  287M  96% /var
>> #
>>
>>> From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
>>> Subject: Re: [BALUG-Talk] Possible solution of blankness or  
>>> editing outline-only on BALUG DokuWiki?
>>> Date: Fri, 23 Apr 2021 08:44:22 -0700
>>
>>> Well, not out of the woods yet.
>>>
>>> Have done fair bit of compression (even using xz -9) of some
>>> moderately older data on /var ... and have grown /var several
>>> times, ... yet it filled up again very recently (or exceedingly
>>> close - I saw it at 100% again, but that's probably rounded, so
>>> at least >99.5%).
>>>
>>> So, at present, now have:
>>> # df -h /var
>>> Filesystem             Size  Used Avail Use% Mounted on
>>> /dev/mapper/balug-var  6.4G  5.7G  491M  93% /var
>>> #
>>> And very recently (only few days back) that was:
>>>> df -h /var
>>>> Filesystem             Size  Used Avail Use% Mounted on
>>>> /dev/mapper/balug-var  4.9G  4.5G  190M  97% /var
>>> Can't just keep growing /var indefinitely.
>>> Much of the volume is mail and related - logs, queued mail,
>>> bounces & failures, mail to listadmin and postmaster, etc., and mostly
>>> lots of other nuisance stuff - fail2ban database takes fair bit of space,
>>> but trimming what that holds would increase data in other logs - notably
>>> of lots of nuisance failed login/authentication attempts and the like.
>>>
>>> And, even if I caught it before completely full, some services (e.g.
>>> exim4) will proactively stop processing when the free filesystem
>>> space runs too low.
>>>
>>> So, yeah, I'll need to do some more work on it.  May need to analyze why
>>> it's ballooning more than it was in past - what's the nature of the
>>> problematic traffic that keeps driving up the storage.
>>>
>>> I suspect it's mostly spam (and attempts thereof) and bad bots
>>> doing/attempting stuff ... essentially all some type(s) of nefarious
>>> unwanted traffic chewing up resources.
>>>
>>> So, in only a couple days or so, it's already nearly 1.5 GiB more data,
>>> and that's already after having done fair bit of aggressive data
>>> data compression on some older data (e.g. some of the older mail data
>>> easily compressed from around 200 of MiB to under a few tens of MB ...
>>> and I even moved the compressed off of the /var filesystem).
>>>
>>> So, ..., yeah, miscreants on 'da Internet ... more work for me to do.  :-/
>>>
>>> Would also be nice to get some of that /var space back, and not  
>>> have to give
>>> so much of it over to what's basically mostly unintersting crud.
>>>
>>> And, have had stuff like this happen before, ... e.g. like bad bots trying
>>> to register on wiki - and chewing up huge volumes of space ... that's why
>>> there's no self-registration option anymore ... blame it on abusers on
>>> 'da Internet.  Manual registration only now.  Even captcha's weren't really
>>> enough for most of that ... bad bots still pounded away and repeatedly
>>> filled up log space.  Maybe more fail2ban config would help that  
>>> ... but then
>>> that also ends up chewing up additional space with its database ...
>>>
>>> # du -x /var | sort -bnr | head -n 12
>>> 5866812 /var
>>> 2102592 /var/lib
>>> 1249060 /var/log
>>> 1017624 /var/spool
>>> 1015100 /var/mail
>>> 932200  /var/spool/exim4
>>> 731780  /var/lib/fail2ban
>>> 616584  /var/lib/clamav
>>> 531456  /var/log/apache2
>>> 505952  /var/log/exim4
>>> 491980  /var/spool/exim4/input
>>> 364892  /var/spool/exim4/msglog
>>> #
>>>
>>>> From: "aaronco36 via BALUG-Talk" <balug-talk@lists.balug.org>
>>>> Subject: Re: [BALUG-Talk] Possible solution of blankness or  
>>>> editing outline-only on BALUG DokuWiki?
>>>> Date: Thu, 22 Apr 2021 16:21:14 +0000 (UTC)
>>>
>>>> Quoting Michael Paoli <Michael.Paoli at cal.berkeley.edu> from [1]:
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> Thanks for the report, but I'm unable to reproduce the issue.
>>>> Anyone else able to reproduce it?  Are you/anyone seeing the
>>>> issue at this time?  Anyone else also see it earlier?
>>>>
>>>> I've tried the following on:  
>>>> https://www.wiki.balug.org/wiki/doku.php without being able to  
>>>> reproduce the issue:
>>>> Chromium
>>>> Chromium incognito mode
>>>> Firefox
>>>> Firefox private browsing mode
>>>> Lynx
>>>> curl
>>>> wget
>>>> Chome on Android from another ISP
>>>> Chrom icognito mode on Android from another ISP
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>
>>>> Cut-and-pasted a text screen-capture and submitted it as a  
>>>> [BALUG-Test] 'Test of BALUG Wiki pages' posting yesterday  
>>>> morning; see [2].
>>>> AFAICT, that "blankness or editing outline-only issue" for BALUG  
>>>> DokuWiki pages [3] and [4] occurred from before 08:00am PDT up  
>>>> through the late morning, and then went away by mid-afternoon  
>>>> yesterday.
>>>> Probably reloaded both those BALUG DokuWiki pages a half-dozen  
>>>> times or so over the morning time-period using mostly Firefox-ESR  
>>>> standard mode and Firefox-ESR private browsing mode, and maybe  
>>>> once or twice using TOR browser in its [least] Safe mode.
>>>>
>>>> Same results for all browsers used to test those pair of pages  
>>>> during that entire morning time-period.
>>>>
>>>>
>>>> Quoting Michael Paoli <Michael.Paoli at cal.berkeley.edu> from [5]:
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> That may have done it.
>>>> Looks like I need to add more space to /var and/or clean some more stuff
>>>> off of it:
>>>> df -h /var
>>>> Filesystem             Size  Used Avail Use% Mounted on
>>>> /dev/mapper/balug-var  4.9G  4.5G  190M  97% /var
>>>> #
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>
>>>> Thanks much, Michael, for effectively diagnosing and resolving  
>>>> the issue! :-)
>>>>
>>>> Besides considering the issue arising from the DokuWiki site  
>>>> itself or BALUG's device /dev/mapper/balug-var, was also  
>>>> considering the possibility that the issue might have arisen from  
>>>> my own browser client.
>>>>
>>>> Why so?
>>>>
>>>> Well, there was no issue whatsoever with successfully loading  
>>>> BALUG DokuWiki pages [3] and [4] throughout Sunday and Monday of  
>>>> this week.
>>>> What changed on Tuesday afternoon was upgrading Firefox-ESR to a  
>>>> slightly higher, minor version as per 'less  
>>>> /var/log/apt/history.log' :
>>>>> Start-Date: 2021-04-20  14:10:03
>>>>> Commandline: apt upgrade
>>>>> Upgrade: firefox-esr:amd64 (78.9.0esr-1~deb10u1, 78.10.0esr-1~deb10u1)
>>>>> End-Date: 2021-04-20  14:10:15
>>>>
>>>> One or more bugs in the upgraded FF 78.10.0esr could have  
>>>> conceivably rendered text and links in the BALUG DokuWiki  
>>>> incorrectly afterwards, as remote as this possibility might seem  
>>>> to be.
>>>> It's good to know that this wasn't the case at all, and that this  
>>>> latest Firefox-ESR browser was fine after all :-)
>>>>
>>>> Thanks again Michael!
>>>>
>>>> -Aaron
>>>>
>>>> ===========================
>>>> REFERENCES
>>>> ===========================
>>>> [1]https://lists.balug.org/pipermail/balug-talk/2021-April/000220.html
>>>> [2]https://lists.balug.org/pipermail/balug-test/2021/000048.html
>>>> [3]https://www.wiki.balug.org/wiki/doku.php
>>>> [4]https://www.wiki.balug.org/wiki/doku.php?id=balug:offered_wanted_hardware_etc
>>>> [5]https://lists.balug.org/pipermail/balug-talk/2021-April/000221.html
>>>> ===========================

More information about the BALUG-Admin mailing list