Once I'm updating my centos VPS to the latest ngnix
and kernel
, the server weirdly disables 443 and 80 connection.
Using Wireshark, I found multiple connections to my socks server on 1082 from multiple IP seem to be scanned and SYN attacked.
69 1.379581 104.149.139.86 82.102.27.93 TCP 54 1082 → 42168 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
122 2.078443 104.149.139.86 185.174.159.18 TCP 54 1082 → 57925 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
763 13.859168 104.149.139.86 185.174.159.18 TCP 54 1082 → 52535 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1412 23.098894 82.102.27.93 104.149.139.86 TCP 74 SuperMic_42:b7:48
198 5.122016 104.149.139.86 212.109.221.254 TCP 54 JuniperN_bb:05:01
1352 29.871004 99.84.252.117 104.149.139.86 TLSv1.3 212 SuperMic_42:b7:48
I realize the open file for accept4
will have a limit by ulimit -n
max opening file in parallel, which also limits the accept4
syscall. It was reset by kernel updates. Some nginx upload file limits also may be the outcome of this. After setting it to 65534
, no 443 and 80 highjacks will be enforced.