Changelog

August 5, 2021: Version 4.02

Better support for UUID-based VE IDs (on OpenVZ 7)
Whitlists did not work properly with UUID based VE IDs
Bettle handling of a situation when remote configuration file is unavailable

August 11, 2020: Version 4.00

Initial support for OpenVZ 7 / 3.10 kernel
*** Send Feedback on OpenVZ 7 to feedback [at] vpsantiabuse.com ***
Better handling of ipv6 addresses
Minor fixes, code cleanup
Updated installer to better handle errors

February 16, 2018: Version 3.90

New configuration option to count only inbound packets 'limit_packets_ignore_egress'; refer to manual for details
Added a few new trojan signatures to process monitoring daemon
A few minor fixes

March 30, 2016: Version 3.80

SSL support: Nodewatch can now fetch configuration files, update nodewatch-web, and communicate with SolusVM Master over HTTPS.
Added additional option $solusvm_master_port to specify SolusVM Master port (defaults to 5656). Specifying ports other than 80 and 5353 will result in Nodewatch sending requests over HTTPS.
Bugfix: with SMS alerts activated Nodewatch was using our servers to send e-mail alerts in addition to SMS. Now e-mails will be sent directly from machine running Nodewatch using standard mail routines.
Bugfix: nodewatch-web update script could freeze when sending data over an unstable connection
A few other (minor) fixes and optimizations

August 18, 2015: Version 3.70

New feature: IPv6 support
Bugfix: Nodewatch did not always properly specify flood direction (in or out) in email alerts; now in case where direction cannot be reliably determined Nodewatch will not be guessing and will send an alert without specifying the direction.

February 19, 2015: Version 3.60

New feature: Nodewatch can now also track connections in "UNREPLIED" state (a sign of a portscan or a DoS attack)
Bugfix: Nodewatch did not properly detect IPv4 addresses of a VPS when it has an ipv6 subnet assigned to it
Bugfix: In some rare cases Nodewatch attempted to suspend the same VPS twice (minor)
Bugfix: On IPv6-only nodes Nodewatch was filling logs with warning messages
Improved detection of malware processes (added more process names)

August 28, 2014: Version 3.50

Bugfix: in some cases Nodewatch could not reliably parse remote configuration file containing comments
New feature: whitelist for packet counts

August 21, 2014: Version 3.40

New feature: centralized configuration
New feature: detection of malware processes
Option to disable alerts for whitelisted VPS
New configuration option to count only outbound data transfers 'limit_packets_ignore_ingress', refer to manual for details
Further code optimizations, CPU usage reduced by 50%
Bugfix: Nodewatch ignored ssh whitelist in certain scenarios
Bugfix: Multiple suspension notifications for the same event

April 24, 2014: Version 3.30

Email notifications now contain evidence of abuse: list of processes running on VPS as well as up to 300 lines from conntrack table
Full VPS conntrack table is now saved under /var/log/nodewatch for each alert or suspension event for further abuse investigation
Added TCP ports 465 and 587 to the list of tracked SMTP sessions
Fixed SSH connection false positives (triggered under certain type of incoming brute-force attacks)
Improved VPS shutdown algorithm to better deal with DoS attacks and locked/stuck containers
Default conntrack limits raised from 20k to 30k for alerts and from 45k to 55k for suspensions
Further code optimizations - CPU load is reduced by 20-50% on busy servers
New configuration option: Test mode (disables all suspensions)

February 4, 2014: Version 3.20

Added conntrack session limits (prevents certain types of IN and OUT DoS attacks)
Added CPU usage monitoring, this helps find CPU abusers (ported from KiwiVM, will not work on old 2.6.18 kernels)
Nodewatch-web script must be updated before it can display statistics produced by this version of Nodewatch
Sorting is now available in Nodewatch-web
Whitelists are now reloaded automatically upon modification without the need to restart Nodewatch
Memory usage optimizations (up to 60% reduction in memory usage)

January 16, 2014: Version 3.01

One more fix to address very rare false DoS alerts upon VPS restart
Added an option to specify From: field in outgoing e-mail alerts

October 29, 2013: Version 3.00

SolusVM integration: Upon VPS suspension, Nodewatch will now make an SolusVM "Suspend" API call for better suspension accounting
Fixed another cause of false DoS alarms
Nodewatch now correctly handles VPS with ipv6 addresses assigned to them (for now it will discard ipv6 addresses and will only monitor ipv4)
Nodewatch will not send an email on every restart anymore. Instead, these events will now be logged into /var/log/nodewatch.log
License data is now cached in a local file, so Nodewatch will not depend on our licensing server anymore

August 25, 2013: Version 2.12

Nodewatch-web daemon did not properly format HTML headers which resulted in 400 Bad Request errors with lighttpd web servers

May 10, 2013: Version 2.10

*** To update to this version from any previous version, please run update.sh twice Bugfix: when there is a network outage, nodewatch could spawn more than one daemon, which could lead to false positives
Reworked update script so that it is not necessary to run it twice in the future releases

May 9, 2013: Version 2.00

*** To update to this version from any previous version, please run update.sh twice
Introducing Nodewatch-Web (centralized nodewatch monitoring script)
Fixed several issues that lead to rare DoS warnings sent (one of the issues was actually caused by a kernel bug; a workaround was implemented)
Format of e-mail notifications has changed: all relevant information has moved to subject
It is now possible to disable root password scanning daemon; just add $disable_nodewatch_passwords = true; to the configuration file
SSH brute-force detector will now disregard SSH connections from a VPS to its own IP addresses
Further code optimizations
Nodewatch will now check for new versions on start and will send an email when a newer version is avaiable

April 23, 2013: Version 1.50

When deployed on a fresh node without any VPS running, Nodewatch was failing with an error
Significant optimizations for better memory footprint and CPU usage for nodewatch itself
Nodewatch sometimes restarted by itself on nodes with more than 230 VPS
Further reduced false-positives by watching VPS restarts more closely
Further reduced the time needed to shut down an abusive VPS to about 2-5 seconds

March 1, 2013: Version 1.40

Columns are now sorted by SMTP sessions and then by packet count
Significantly reduced required screen width (removed unnecessary information)
IP address of abusing VPS is now added to the notification
Other cosmetic fixes

January 13, 2013: Version 1.30

Fixed very rare DoS false positive on vps restart (this issue only affected alerts, there was no VPS suspension when this bug was triggered)
Fixed a bug when some E-mail alerts were not sent when SMS alerts were disabled
Made SMS and email alerts more clear about what action taken on a VPS
Added support for multiple cell phones for SMS notifications (separate by a comma)

December 27, 2012: Version 1.27

Small cosmetic changes

June 17, 2012: Version 1.26

New feature: weak root password tracking (will change weak root password automatically and notify the user)

April 22, 2012: Version 1.25

Small cosmetic fixes
Nodewatch crashed on 2.6.32 kernels under very rare conditions (not affecting the node in any way).

April 15, 2012: Version 1.24

Made SMS alerts more informative
Added 2.6.32 kernel support
Stats display reworked again to be more informative

February 2, 2012: Version 1.23

New feature: SMS alerts

November 28, 2011: Version 1.22

I/O accounting now accounts for all dirty writes + all reads
Suspension algorithm adapted for instant suspension of VPS that send out or receive a DoS attack
Cosmetic fixes in statistics

August 7, 2011: Version 1.21

New feature: override all thresholds in the configuration file
VPS missing an IP address will now trigger an email notification

March 30, 2011: Version 1.20

Configuration moved to an external config file
Added a separate configuration variable to disable sms alerts
Changed suspension algorithm for more reliable suspension of spamming VPS
Fixed a memory leak

January 15, 2011: Version 1.19

New feature: Automatic VPS suspension when outgoing SSH brute force detected
New feature: whitelists for SSH brute force detection
Email alerts are now more informative
Reduced memory usage

September 4, 2010: Version 1.18

New feature: SSH connection tracking and notification (outgoing SSH brute force detection)
Cosmetic fixes in statistics

August 11, 2010: Version 1.17

Added basic logging to /var/log/nodewatch.log
Significantly reduced CPU load on the node

June 29, 2010: Version 1.15

I/O automatic throttling disabled, however, I/O monitoring will remain in nodewatch.
Fixed a bug when Nodewatch did not properly calculate VPS I/O usage when node is overloaded/slow
Nodewatch will now auto restart once a day

June 2, 2010: Version 1.14

New feature: automatic I/O throttling and unthrottling via vzctl set VEID --cpulimit 1 (dirty but works)

February 28, 2010: Version 1.11

Added additional checks to cron script to prevent launching two copies of Nodewatch simultaneously
New feature: I/O monitoring, to find I/O abusers
Added email notifications upon Nodewatch (re)start

February 12, 2010: Version 1.08

New feature: DoS detection (pps thresholds)

December 5, 2009: Version 1.01

New feature: Automatic VPS suspension when Spamming in addition to notification
It is now possible to set an interval during which Nodewatch will not send repeat alerts; default is 5 min
New feature: whitelists for spam detection

November 20, 2009: Version 1.00

Initial release
2.6.18 kernel support
Outgoing SMTP connection tracking and notification (spam detection)