Short guidePlease note that nodewatch system is provided as is, without any warranty, expressed or implied.
FeedbackPlease send feedback to feedback [at] vpsantiabuse.com
Current version of Nodewatch supports OpenVZ kernels 2.6.18 and 2.6.32.
Supported OS: 64-bit CentOS 5.x, 6.x; should also work on 64-bit versions of RHEL5/6, SL6.
Nodewatch does not care about your control panel (SolusVM, HyperVM, etc); it is completely independent and does not cause any conflicts with the control panel.
InstallationYou need to be root in order to perform the installation.
wget http://deploy.vpsantiabuse.com/nodewatch-install.sh sh nodewatch-install.sh
Now open /nodewatch/scripts/nodewatch_config.php and configure the following settings:
// e-mail address for alerts $admin_email = 'your@email'; // your license key, see http://vpsantiabuse.com/ $license_key = '1293819230781023';
// set to true to enables SMS alerts $sms_alerts = true; // cell phone for sms alerts; for US/Canada: '555-5555-555'; // international example: '+55-555-5555-555' // (+55 = country code with "+" prefix) // multiple numbers example: '555-5555-555,+66-666-6666-666' // (up to 3 phone numbers are supported) $sms_phoneno = '123-4567-890'; // change to true to disable scanning customers' VPS for weak root passwords $disable_nodewatch_passwords = false;
Nodewatch-web section (optional):
// set to true to enable $nodewatch_web_update_enabled = true; // change to false to disable web updates // link to update.php $nodewatch_web_update_url = 'http://yourdomain.com/update.php'; // password for nodewatch-web, must match the password // set in config.php of your nodewatch-web installation $nodewatch_web_password = 'secret';
SolusVM integration (optional):
// set to true to enable $solusvm_calls_enabled = true; // IP address of the SolusVM master $solusvm_master_ip = '184.108.40.206'; // API id must be created in the SolusVM Admin panel, menu: Configuration->Api Access $solusvm_master_api_id = 'ididididididididididididididid'; // API key must be created in the SolusVM Admin panel, menu: Configuration->Api Access $solusvm_master_api_key = 'keykeykeykeykeykeykeykeykeykey'; // Numeric Node ID of this physical server. It is located in the SolusVM Admin panel, menu: Nodes->List Nodes $solusvm_node_id = '2';
After all desired changes are made, save the file and restart nodewatch:
Wait 5 minutes. Now you can watch some statistics.
watch -n 1 cat /tmp/nodewatch_stats
Here's what columns mean:
VPS: VE ID (container ID). Matches VE IDs provided by this command:
SMTP: Current number of outgoing SMTP connections for this VPS
SSH: Current number of incoming AND outgoing SSH connections for this VPS
Avg I/O: Average I/O (disk) bandwidth for VPS in MiB per second. Averages for 5, 30, 180 and 900 seconds.
Avg packets: Average number of UDP + TCP packets per second (sent + received). Averages for 5, 15, 30, 60, 180, 900 seconds.
Automatic suspension of a VPSFirst of all, make sure default thresholds make sense to you. Modify if necessary in nodewatch_config.php:
$limit_packets_suspend = 500000 Suspend VPS if it exceeds 500000 packets per second.
$limit_smtp_suspend = 1000 Suspend VPS if it exceeds 1000 simultaneous SMTP connections per second.
$limit_ssh_suspend = 100 Suspend VPS if it exceeds 100 simultaneous SSH connections per second.
An email will be sent to the address provided in nodewatch_config.php file upon automatic suspension. If phone number is provided in the configuration file, then an SMS notification will be sent to your phone as well.
If SolusVM Master details are provided in the configuration file, Nodewatch will also send a notification to the SolusVM master.
How VPS suspension worksNodewatch executes the following shell command to suspend a VPS:
vzctl set VEID --disabled yes --saveThen it simply stops the VPS:
vzctl stop VEIDThis, however, will not work under certain conditions (DoS being one example), as OpenVZ will need minutes to stop the container. When this is the case, Nodewatch will automatically disable all network activity in a VPS to prevent it from abusing the network while it is being stopped.
How to unsuspend a VPS after an automatic suspension
vzctl set VEID --disabled no --saveYou can then start the VPS:
vzctl start VEID
If SolusVM Master details are provided in the configuration file, then you can also unsuspend the VPS directly from the SolusVM Master.
WhitelistingIf you need to allow your customer to run mass mailing campaigns, mailing lists, etc, it is quite easy to whitelist their VPS. Simply add their VEID to the following files:
/nodewatch/scripts/smtp_whitelist – for smtp connections
/nodewatch/scripts/ssh_whitelist – for ssh connections
To whitelist multiple VPS, add one VEID per line.
Note that you will still get e-mail and SMS alerts even if the VPS is whitelisted. This is needed so that you can keep an eye on things. Let us know if you need more flexibility here.
Weak root password detection
Nodewatch uses John the Ripper to automatically scan your user's VPS for weak passwords. (John is installed automatically during Nodewatch installation, there is no need to install it separately). When a weak password is discovered, it is immediately replaced with a randomly generated password. A message is then thrown onto user's VPS console with new password as well as a record is made in the user's VPS syslog.
Updating to latest version
/nodewatch/scripts/update.shInvoking this script will update and restart your Nodewatch installation. Allow 10 minutes after updating for stats to re-appear.
rm -f /etc/cron.d/vpsantiabuse /nodewatch/scripts/nodewatch_restart.sh rm -rf /nodewatch