Yet Another Fun One

Opening a fun can of worms. Thanks in advance.

I received a notification 8:47pm local time that my Discourse site was not reachable.

My server was getting hammered (load average was running anywhere from 8 on the low side to 15 on the high side), discourse was running, and there was nothing I could easily discern as an issue.

I ran discourse doctor, not problem.

I ended up having to reboot the compute instance, which did not solve the problem.
Ultimately I stopped the instance for over 30 minutes before restarting.
Problem gone.

Keep in mind my discourse site is really, really small - about 20 active users.
I can’t prove there was some sort of DDoS activity, the symptoms sure line up with that possibility.

Below is a log snippet.
I am sure folks want to keep known bugs that are security risks obfuscated.

Do the logs below match any known indicators of compromise?

Any and all thoughts appreciated. Thank you!

You can look at /var/discourse/shared/standalone/log/var-log/nginx/access.log (if I can remember and type). And look there to see if you have a lot of traffic.

It’s improbable that your issue is caused by a security error with discourse.

I once had an issue sort of like that which was caused by a ddos attack on ssh.

2 Likes

Thank you very much!

1 Like

Tell us more about your setup. Is it a standard install? Are you running Postgres and Redis on another host, maybe on AWS managed instances?

1 Like

As plain vanilla install as you get underpinned by AWS Lightsail.

1 Like