Friday, September 30, 2016

Do I need to protect chronyd against dDoS attacks, same like ntpd?


Nope.

For ntp.conf, restrict default kod nomodify notrap nopeer noquery [..] was used. This is not required for chrony. chronyd listens for commands only on the loopback interface and it functions only as an NTP client by default. All NTP requests are ignored. With chrony-2.1.1 the NTP port 123 is not even open and packets send to that port won't reach chronyd.
If chronyd is expected to work also as an NTP server, it is required to add an allow directive to the config.
The kod restrict option in ntp.conf does nothing unless the limited option, which enables rate limiting, is specified too. When kod and limited are used together, ntpd as a server will reply with a KoD packet to clients that are sending too many requests to back off. Unfortunately, clients that do this generally don't understand the KoD reply, so it actually can make things worse and it's better to leave it disabled. chronyd as a server doesn't support rate limiting or KoD. As clients, both ntpd and chronyd support KoD, this is always enabled.
As a general NTP recommendation, it would be good to add a third server to the config, so if one of the servers goes nuts, the other two can outvote it.

from here: https://access.redhat.com/solutions/1977523

Friday, September 9, 2016

dynamic log error discovery using logstash and statsd

logstash configuration using statsd output filter
this took a while to put together, getting the syntax tuned up.
you probably dont need the curly braces on the match statements, but it makes this config backwards compatible with logstash < 1.5

fyr: the routing key will look like:
 "statsd.logstash.`hostname`.appperf.abc.errors.appmodules.ModuleNameFromLog.count"
 "statsd.logstash.`hostname`.appperf.abc.errors.appmodules.ModuleNameFromLog.rate"


## /etc/logstash/conf.d/19-abclog2statsd.conf 

input {
  file {
    path => "/opt/abcapp/tomcat/logs/ABC.log"
  }

}

filter {
  grok {
    match => { "message" => "%{DATE:date} %{TIME:time} ERROR  %{WORD:unknown_module}%{GREEDYDATA:message}" }
    match => { "message" => "%{DATE:date} %{TIME:time} ERROR %{WORD:unknown_module}%{GREEDYDATA:message}" }
  }

}

output {
  if [unknown_module] =~ /.+/ {
    statsd {
      host => "10.101.25.137"
      count => { 
                "appperf.amp.errors.appmodules.%{unknown_module}" => "1"
      }
    }
  }
}