I noticed a few days ago that my internal mirror of the upstream linuxcontainers.org images were no longer being updated, and images were falling behind. I mirror from rsync.i.l.c, and that’s no longer hosting an rsyncd process on 45.45.148.9.
$ telnet 45.45.148.9 873
Trying 45.45.148.9...
telnet: Unable to connect to remote host: Connection refused
Was this mirror endpoint terminated, and if so, is there a replacement for mirroring images, other than the less-than-efficient wget/lftp/rclone of the site?
Just wondering if ti was a service failure or an intentional change that didn’t get mentioned in the forums.
It’s been the ongoing target of repeated attacks which would cause rsync to hammer the disk and eventually cause a negative performance impact on other systems accessing the shared storage (the actual https://images.linuxcontainers.org frontends).
So it’s currently been firewalled off until we can figure out a way to run it where it can’t impact the rest of our users.
Owch, sorry to hear that. It’s odd that rsyncd would be the target of attacks, but I suppose if someone found an open port, they’d try to aggressively interrogate it.
Perhaps an allowlist of recognized, trusted endpoints, or locking it down via RSYNC_RSH=ssh and allowing secured connections instead of an open rsyncd?
I’m hoping my own local mirroring process (which runs only every 6 hours) wasn’t one of the remote clients implicated in the attack scope.
Using tc to throttle the bandwidth to clients connecting to the port would also help, as would fail2ban on 873 to knock the malicious mosquitos off of the service.