A large number of Netfilter warnings are received in the background, the 1.2G virtual memory of vps is full, and the physical memory is only 200M left,disk space is full , can not send mail,while i run

 cd /opt/mailcow-dockerized/
systemctl restart docker
docker-compose down
docker-compose up -d

All problems are gone, what’s the reason?

A large number of such Netfilter warnings were generated from July 5th to yesterday, and I chose to post some of them:

mailcow in-memory logs are collected in Redis lists and trimmed to LOG_LINES (10000) every minute to reduce hammering.
In-memory logs are not meant to be persistent. All applications that log in-memory, also log to the Docker daemon and therefore to the default logging driver.
The in-memory log type should be used for debugging minor issues with containers.

External logs are collected via API of the given application.

Static logs are mostly activity logs, that are not logged to the Dockerd but still need to be persistent (except for API logs).
Netfilter 1000
Search

    «
    ‹
    ...
    1
    2
    3
    4
    5
    ...
    ›
    »

1 of 20
8/10/2020, 10:59:30 PM	warn	8 more attempts in the next 600 seconds until 172.68.174.65/32 is banned
8/10/2020, 10:59:30 PM	warn	172.68.174.65 matched rule id 4 ([72]: SOGoRootPage Login from '172.68.174.65' for user 'onj0ir4bj@dsfsferw.com' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0)
8/10/2020, 10:59:04 PM	warn	9 more attempts in the next 600 seconds until 172.68.174.65/32 is banned
8/10/2020, 10:59:04 PM	warn	172.68.174.65 matched rule id 4 ([72]: SOGoRootPage Login from '172.68.174.65' for user 'onj0ir4bj@dsfsferw.com' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0)
8/10/2020, 10:42:29 PM	warn	8 more attempts in the next 600 seconds until 172.69.34.191/32 is banned
8/10/2020, 10:42:29 PM	warn	172.69.34.191 matched rule id 6 ([72]: 172.69.34.191 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.005 - - 0)
8/10/2020, 10:41:48 PM	warn	9 more attempts in the next 600 seconds until 172.69.34.191/32 is banned
8/10/2020, 10:41:48 PM	warn	172.69.34.191 matched rule id 6 ([72]: 172.69.34.191 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.004 - - 0)
8/10/2020, 3:12:25 PM	info	Watching Redis channel F2B_CHANNEL
8/10/2020, 3:12:25 PM	info	Clearing all bans
8/10/2020, 6:55:32 AM	warn	9 more attempts in the next 600 seconds until 172.68.132.118/32 is banned
8/10/2020, 6:55:32 AM	warn	172.68.132.118 matched rule id 6 ([29993]: 172.68.132.118 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.004 - - 0)
8/10/2020, 12:30:35 AM	warn	9 more attempts in the next 600 seconds until 162.158.62.138/32 is banned
8/10/2020, 12:30:35 AM	warn	162.158.62.138 matched rule id 6 ([29993]: 162.158.62.138 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.004 - - 0)
8/9/2020, 12:08:26 PM	warn	9 more attempts in the next 600 seconds until 172.69.68.208/32 is banned
8/9/2020, 12:08:26 PM	warn	172.69.68.208 matched rule id 6 ([29993]: 172.69.68.208 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.004 - - 0)
8/9/2020, 12:01:03 PM	warn	9 more attempts in the next 600 seconds until 172.69.69.11/32 is banned
8/9/2020, 12:01:03 PM	warn	172.69.69.11 matched rule id 6 ([28966]: 172.69.69.11 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.046 - - -916K)
8/9/2020, 9:35:02 AM	warn	9 more attempts in the next 600 seconds until 172.68.174.135/32 is banned
8/9/2020, 9:35:02 AM	warn	172.68.174.135 matched rule id 4 ([28966]: SOGoRootPage Login from '172.68.174.135' for user 'https://drive.google.com/open?id=1nKsMOzG26RMCyUzvKP8QB_97pkBKA0JH' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0)
8/9/2020, 7:57:29 AM	warn	9 more attempts in the next 600 seconds until 172.68.174.135/32 is banned
8/9/2020, 7:57:29 AM	warn	172.68.174.135 matched rule id 4 ([29993]: SOGoRootPage Login from '172.68.174.135' for user 'rbro4n4t1@dsfsferw.com' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0)
8/9/2020, 2:02:10 AM	warn	9 more attempts in the next 600 seconds until 172.69.70.138/32 is banned
8/9/2020, 2:02:10 AM	warn	172.69.70.138 matched rule id 4 ([18174]: SOGoRootPage Login from '172.69.70.138' for user 'etkjr0ktr@dsfsferw.com' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0)
8/9/2020, 2:00:43 AM	warn	9 more attempts in the next 600 seconds until 172.69.70.234/32 is banned
8/9/2020, 2:00:43 AM	warn	172.69.70.234 matched rule id 4 ([18174]: SOGoRootPage Login from '172.69.70.234' for user 'etkjr0ktr@dsfsferw.com' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0)
8/9/2020, 1:30:51 AM	warn	9 more attempts in the next 600 seconds until 162.158.89.32/32 is banned
8/9/2020, 1:30:51 AM	warn	162.158.89.32 matched rule id 4 ([6614]: SOGoRootPage Login from '162.158.89.32' for user 'etkjr0ktr@dsfsferw.com' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0)
8/8/2020, 11:17:44 PM	warn	7 more attempts in the next 600 seconds until 162.158.106.7/32 is banned
8/8/2020, 11:17:44 PM	warn	162.158.106.7 matched rule id 6 ([18174]: 162.158.106.7 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.003 - - 0)
8/8/2020, 11:17:18 PM	warn	8 more attempts in the next 600 seconds until 162.158.106.7/32 is banned
8/8/2020, 11:17:18 PM	warn	162.158.106.7 matched rule id 6 ([18174]: 162.158.106.7 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.035 - - 2M)
8/8/2020, 11:17:09 PM	warn	9 more attempts in the next 600 seconds until 162.158.106.7/32 is banned
8/8/2020, 11:17:09 PM	warn	162.158.106.7 matched rule id 6 ([18174]: 162.158.106.7 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.006 - - 0)
8/8/2020, 3:29:15 PM	warn	7 more attempts in the next 600 seconds until 172.69.70.138/32 is banned
8/8/2020, 3:29:15 PM	warn	172.69.70.138 matched rule id 6 ([18174]: 172.69.70.138 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.004 - - 0)
8/8/2020, 3:28:51 PM	warn	8 more attempts in the next 600 seconds until 172.69.70.138/32 is banned
8/8/2020, 3:28:51 PM	warn	172.69.70.138 matched rule id 6 ([18174]: 172.69.70.138 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.003 - - 0)
8/8/2020, 3:28:44 PM	warn	9 more attempts in the next 600 seconds until 172.69.70.138/32 is banned
8/8/2020, 3:28:44 PM	warn	172.69.70.138 matched rule id 6 ([18174]: 172.69.70.138 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.004 - - 0)
8/8/2020, 3:28:33 PM	warn	7 more attempts in the next 600 seconds until 172.69.70.234/32 is banned
8/8/2020, 3:28:33 PM	warn	172.69.70.234 matched rule id 6 ([18174]: 172.69.70.234 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.004 - - 0)
8/8/2020, 3:28:23 PM	warn	8 more attempts in the next 600 seconds until 172.69.70.234/32 is banned
8/8/2020, 3:28:23 PM	warn	172.69.70.234 matched rule id 6 ([18174]: 172.69.70.234 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.004 - - 0)
8/8/2020, 3:28:15 PM	warn	9 more attempts in the next 600 seconds until 172.69.70.234/32 is banned
8/8/2020, 3:28:15 PM	warn	172.69.70.234 matched rule id 6 ([18174]: 172.69.70.234 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.007 - - 0)
8/8/2020, 3:09:42 PM	warn	7 more attempts in the next 600 seconds until 172.69.68.208/32 is banned
8/8/2020, 3:09:42 PM	warn	172.69.68.208 matched rule id 6 ([29993]: 172.69.68.208 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.044 - - 2M)
8/8/2020, 3:09:42 PM	warn	8 more attempts in the next 600 seconds until 172.69.68.208/32 is banned
8/8/2020, 3:09:42 PM	warn	172.69.68.208 matched rule id 6 ([30638]: 172.69.68.208 "GET /SOGo/so/anonymous/Mail HTTP/1.0" 403 243/0 0.048 - - 2M)

After restarting docker, these logs are no longer generated.
Which container is the problem? How can I solve this problem? I am a novice and need your help,
Thanks for the reply

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

  • diekuh

    • Community Hero
    • volunteer
    Moolevel 110
  • Post #3

1.2 G and disk full? That does not sound like a server to run mailcow on.

The “warnings” above is the fail2ban-like implementation at work. It secures the server.

    diekuh
    thank for your reply
    It’s true,mailcow runs on the BandwagonHost’s cheapest vps ,20G disk space, 1G RAM,and I set up 1.2G of virtual memory.Everything has been working normally since June, and it has been unable to send and receive mail until these few days.
    I upgraded mailcow just now, and the domain name of the website became inaccessible after the upgrade. Only mail. domain name can be accessed, but send and receive mail is ok.

    Does an implementation fail2ban-like mean that the VPS has been attacked?
    sorry for my broken english,I use Google to translate these sentences.

      • diekuh

        • Community Hero
        • volunteer
        Moolevel 110
      • Post #5

      No need to apologize. 🙂

      1 GB is not enough. It will break eventually. You should consider upgrading the VPS. 20 G of disk spakce may also not be enough, that depends on the usage of the server.

        diekuh

        mailcowdockerized_rspamd-mailcow is 19.67 %
        is that too high?

        
CONTAINER ID        NAME                                    CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
85ea09393cc2        mailcowdockerized_ipv6nat-mailcow_1     0.38%               5.555MiB / 997.4MiB   0.56%               0B / 0B             586MB / 0B          10
898bfeeb7b14        mailcowdockerized_netfilter-mailcow_1   0.02%               11.06MiB / 997.4MiB   1.11%               0B / 0B             132MB / 0B          6
2725d0a86b46        mailcowdockerized_rspamd-mailcow_1      0.11%               196.2MiB / 997.4MiB   19.67%              524MB / 10MB        282MB / 76.9MB      6
789605face7b        mailcowdockerized_acme-mailcow_1        0.00%               1.02MiB / 997.4MiB    0.10%               131kB / 6.68kB      2.11MB / 0B         3
388b2cef226f        mailcowdockerized_postfix-mailcow_1     0.03%               13.53MiB / 997.4MiB   1.36%               166MB / 333MB       1.46GB / 206MB      13
7292fd24f175        mailcowdockerized_dovecot-mailcow_1     0.07%               14.73MiB / 997.4MiB   1.48%               427MB / 245MB       3.88GB / 335MB      15
d4e30acfe051        mailcowdockerized_nginx-mailcow_1       0.00%               3.613MiB / 997.4MiB   0.36%               342MB / 387MB       274MB / 28.7kB      4
062a7c84007b        mailcowdockerized_php-fpm-mailcow_1     0.01%               25.54MiB / 997.4MiB   2.56%               29.3MB / 55.6MB     1.05GB / 8.19kB     10
5507f43078cb        mailcowdockerized_mysql-mailcow_1       0.12%               20.92MiB / 997.4MiB   2.10%               134kB / 5.64kB      1.38GB / 184MB      39
9cfcac066042        mailcowdockerized_unbound-mailcow_1     0.00%               3.961MiB / 997.4MiB   0.40%               20.2MB / 24.4MB     81.2MB / 36.9kB     1
4daf77495253        mailcowdockerized_sogo-mailcow_1        0.12%               128.4MiB / 997.4MiB   12.87%              343MB / 591MB       3.53GB / 2.81MB     27
f8eea3660276        mailcowdockerized_redis-mailcow_1       0.26%               12.38MiB / 997.4MiB   1.24%               163MB / 3.92GB      366MB / 1.34GB      4
17b0e86fed9b        mailcowdockerized_olefy-mailcow_1       0.00%               1.051MiB / 997.4MiB   0.11%               139kB / 5.64kB      15.6MB / 0B         1
6c139d6d3fbc        mailcowdockerized_solr-mailcow_1        0.00%               804KiB / 997.4MiB     0.08%               140kB / 7.33kB      3.62MB / 0B         2
12de55919e1d        mailcowdockerized_watchdog-mailcow_1    0.00%               888KiB / 997.4MiB     0.09%               138kB / 5.71kB      5.12MB / 0B         2
df0522c1b0b7        mailcowdockerized_dockerapi-mailcow_1   0.03%               12.05MiB / 997.4MiB   1.21%               215kB / 1.41MB      134MB / 0B          2
a60a97b0d2fe        mailcowdockerized_memcached-mailcow_1   0.07%               1.199MiB / 997.4MiB   0.12%               5.22MB / 9.25MB     37.9MB / 0B         10
8dca3b57c7d0        mailcowdockerized_clamd-mailcow_1       0.01%               784KiB / 997.4MiB     0.08%               187kB / 52.8kB      831kB / 0B          3

          • MAGIC

            • Forum Staff
            • volunteer
            Moolevel 48
          • Post #7

          No it’s not.
          SOGo, Rspamd + Solr (if used) are the containers with the biggest ram usage.

          No one is typing