NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
System volume 'root' usage is 100 % and system is now inactive
My RN102 started to become unresponsive. I went to the logs and found the dreaded 'System volume 'root' usage is 100%' message and noticed that it had been occurring with increasing frequency. At t...
OK: looks Iike I was able to fix it.
Further research showed that the btmp records failed attempts to login to the system. I ran the command
last -f /var/log/btmp
and got a stream of messages like this:
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00So it looks like someone was trying to brute force connect to my system.
I ran the command:
sudo > /var/log/btmp
and that cleared it out. I have access to my system now.
Now the challenge will be to figure out how to better protect my system. Maybe I'll just turn off remote access.
OK: looks Iike I was able to fix it.
Further research showed that the btmp records failed attempts to login to the system. I ran the command
last -f /var/log/btmp
and got a stream of messages like this:
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00)
root ssh:notty 43.229.53.59 Tue Oct 20 00:34 - 00:34 (00:00
So it looks like someone was trying to brute force connect to my system.
I ran the command:
sudo > /var/log/btmp
and that cleared it out. I have access to my system now.
Now the challenge will be to figure out how to better protect my system. Maybe I'll just turn off remote access.
Best not to port forward SSH if you don't need to access SSH remotely or can setup e.g. a VPN
Or if you need remote access read up on and setup knockd. Everyone will be quick to tell you that it's not that much higher security if someone really wants to try to get into your system, but most of the attacks are based on scans that are not directly focused on your system so if they don't get responses they go away. I just checked and I've actually not seen a single false login in the past 3 months with this setup (that's all the longer my log goes back). Basically you are only enabling traffic to sshd for nodes that send the knock sequence.
steve
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
