Real case of DOS Alert / High memory usage ! Traccar server linux 5.6

Fabiano Gastaldi2 years ago

Hello all,

I have a linux traccar server, small config (20 devices), and one of my checks, i see the high memory usage (3Gb RAM), usually the memory usage is about 1Gb<->2 Gb,

  1. free -m
                    total        used        free      shared  buff/cache   available
Mem:            7944        3475        4241           5         227        4235
Swap:              0           0           0

So i restart the traccar service,( command in my linux distrib.)
2) service traccar restart

And the memory goes to:

                     total        used        free      shared  buff/cache   available
Mem:            7944         694        7109           5         140        7043
Swap:              0           0           0
  1. The small part of log file:
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@6e709884[type=AUTH, id=5, duration=PT0.674023938S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@70dd3d50[type=AUTH, id=5, duration=PT0.651047363S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@6f4539d3[type=AUTH, id=5, duration=PT0.650844675S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@62ec4f06[type=AUTH, id=5, duration=PT0.647447708S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@666b02c8[type=AUTH, id=5, duration=PT0.647381373S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@e23e43[type=AUTH, id=5, duration=PT0.632356714S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@eede936[type=AUTH, id=5, duration=PT0.566739197S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@36f050c2[type=AUTH, id=5, duration=PT0.632347285S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@18a491fb[type=AUTH, id=5, duration=PT0.554206847S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@6bdbf2d3[type=AUTH, id=5, duration=PT0.553540043S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@651f2f12[type=AUTH, id=5, duration=PT0.552294759S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@7c02d909[type=AUTH, id=5, duration=PT0.552455369S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@62202fe8[type=AUTH, id=5, duration=PT0.550561576S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@42a0b6ac[type=AUTH, id=5, duration=PT0.52469007S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.87.69, overlimit=OverLimit@7b0eb941[type=AUTH, id=5, duration=PT0.525475175S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.87.69, overlimit=OverLimit@78f5c9c0[type=AUTH, id=5, duration=PT0.524200978S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.87.69, overlimit=OverLimit@6343bd10[type=AUTH, id=5, duration=PT0.525153835S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.87.69, overlimit=OverLimit@78e13da7[type=AUTH, id=5, duration=PT0.525029704S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:07  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.87.69, overlimit=OverLimit@3c06d8e1[type=AUTH, id=5, duration=PT0.518785053S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:09  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@e198ada[type=AUTH, id=5, duration=PT0.175854152S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:09  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@363e852c[type=AUTH, id=5, duration=PT0.130028259S, count=25], session=node0j1si4y11v1tfpf7iq3lp3aix3317.node0, user=null
2023-06-17 18:15:09  WARN: DOS ALERT: Request delayed=100ms, ip=177.51.82.132, overlimit=OverLimit@4d88d822[type=AUTH, id=5, duratio
.....

many, many lines ! This is a really DOS attack attempt !

I will create an fail2ban regex to block this attempts soon !
Sorry for my english, my natural language is Portuguese_BR.

Any comment or same issue ?

Fabiano.

Mega Box Brasila year ago

Fala Fabiano!

Conseguiu resolver o problema? Ou descobrir o que é?

Estou passando pela mesma coisa...

Opa, beleza ! Resolvi sim ! Criei uma regra de detecção de intrusão analisando os logs do traccar e bloqueando o IP quando aparece em sequencia os logs, usando o fail2ban, basicamente a mesma que postei aqui para bloquear IPS que tentam logins inválidos na interface web, https://www.traccar.org/forums/topic/web-login-fail2ban-jail-working/