Vyos 1.3-rolling-202005130117 strange memory usage in 2020001311637 never had this problem

Hello guys,

I got a problem and i dont understand why i got 1 router with vyos 1.3 2020001311637 and another one with vyos 1.3 202005130117 ( backup ) so we put the backup router with vyos online and turned vyos 1.3 2020001311637 off to use the new server.

Vyos 202005130117 - The problem is it complets eat the ram, first i had 8GB on it so i added another 4, 12 total and is totaly strange ower ram usage on the old one was stable 4-5gb not more on the new one 1 min stay at 4-5gb 1 min 12gb :expressionless: and i just makes like this over and over again.

The routers has same configurations…etc only the vyos version diffrent

On the old one never had this problems was allways oscilating betwork 4-5gb

O and on the net one sometimes when the ram gets fuly it just kills my ssh process and on the screen it shows out of memory …etc

Dose anyone had any ideea regarding this ? Add more ram ? How much ?

Thank you

You’d be better off to try and understand what’s using all the memory.
What does top show?

As per this post it might be helpful to capture all the files in /var/log/atop

I have no idea of the config on your router, or its average memory load though, maybe you DO need more RAM? I doubt it though if it’s been stable with this amount previously.

4GB seems crazy, I run 1.3.x on AWS with 512MB memory and ~300MB remains free

We got 2 mil tables, multiple providers, metro and international.

From what i see now is all ok, i founded the problem , ssh brute force on the router, when the usage is ok there is only 2 ssh process when the usage gets crazy it has 10 15 ssh process and ram usage 10% / each

So i restricted ssh and i see is all ok, i have to read and search sone firewall good rules for the entire network even to blacklist spam ips cuz is complet crazy getting way to manny spam mails like before we had mikrotik and used spam lists …etc

Great you found the issue.

Would you share what you did for your IP blocking?

Whell for ssh just restricted at the moment to an ip cuz it was on 0.0.0.0.

If you mean the “firewall…etc” i will make a new topic with ower firewall staff we made because i have a problem there so i dont whant to write here about it.

Keep an eye on the comunity tomorrow i will try to make the topic regarding firewall maybe it will help other ppl or even me.

Sounds good.

I also run a block list of “hot” IPs using these approaches.


https://www.cron.dk/firewalling-by-country-on-edgerouter/

1 Like

Per the vyos documentation at https://docs.vyos.io/en/latest/quick-start.html you could set up a firewall rule to defeat brute force attacks. Example code is:

These rules allow SSH traffic and rate limit it to 4 requests per minute. This blocks brute-forcing attempts:

set firewall name OUTSIDE-LOCAL rule 30 action ‘drop’
set firewall name OUTSIDE-LOCAL rule 30 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 30 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 30 recent count ‘4’
set firewall name OUTSIDE-LOCAL rule 30 recent time ‘60’
set firewall name OUTSIDE-LOCAL rule 30 state new ‘enable’

set firewall name OUTSIDE-LOCAL rule 31 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 31 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 31 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable

I have found that just running ssh on another port like 5555 or whatever, instead of 22, essentially ends any brute force attacks on my router.

1 Like

We dont use default ssh port but i dont understand why we got planty of this staff and when i mean planty is lots lots

Jun 02 12:13:28 vyos sshd[27324]: Disconnected from authenticating user root 190.145.5.170 port 40084 [preauth]
Jun 02 12:13:28 vyos sshd[27326]: Failed password for root from 106.13.198.131 port 51684 ssh2
Jun 02 12:13:29 vyos sshd[27326]: Received disconnect from 106.13.198.131 port 51684:11: Bye Bye [preauth]
Jun 02 12:13:29 vyos sshd[27326]: Disconnected from authenticating user root 106.13.198.131 port 51684 [preauth]
Jun 02 12:13:33 vyos sshd[27328]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.13.228.13 user=root
Jun 02 12:13:35 vyos sshd[27328]: Failed password for root from 106.13.228.13 port 44426 ssh2

Are you running ssh on another port that is known to be used for ssh as well? I run mine in port 5xx and I get no attempted logins that aren’t me. Odd.

I’d think the attempt limiting firewall setup from above would be your best option if you want to allow ssh from all sources. You could even reduce the number of allowed tries.

I use 2xxx , i will add the ssh rules to see if will do the trick

Very curious to hear the results. I’d expect this would reduce your issues but real life differs from text book sometimes.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.