askquestiongetanswernobs
New Member
Hi, my first post here and hopefully asking a simple question will get me a simple or reasonably simple answer.
Using the Linux terminal how do I determine how many inodes the file system was setup with initially?
My server came under inode attack two days ago. I've never heard the phrase inode and it still makes no sense. It's a huge vulnerability where whoever setup the file system did so not using the maximum number of inodes. Apparently no one bothered to ensure that the inode system doesn't get taken advantage of...well, someone decided to take advantage of it. Here is a paragraph from this PDF file:
The purpose of my question (using a user name I wouldn't use) is that I build monitoring software and I need to know in advance if there is going to be a problem so I can solve it while I'm working solo instead of say, in the middle of a sales presentation where having everything on f#$%ing fire or already in a pile of ashes would destroy my credibility because so many people can't do their jobs correctly. I install PHP modules and often use newer (not newest, newer) versions of things that software (that I hate) like cPanel is combative against. So I have to ensure that after a server downgr...er, "upgrade" that cPanel hasn't destroyed half of my custom server configuration. I color code this stuff and everything because I just need to know that everything is nominal so I can you know, move forward with my life. I love programming but I'm not programming for the sake of programming.
So the closest I've gotten (and no one better try to placate me with this as the answer) is using df -i.
A modified example of the output:
Filesystem Inodes IUsed IFree IUse% Mounted on
/dev/ploop15222p3 216000 26949 159051 13% /
none 524288 1 54272 1% /sys/fs/cgroup
none 524288 7 54214 1% /dev
tmpfs 524288 2 54286 1% /dev/shm
tmpfs 524288 30 53988 1% /run
So the lazy person (who should be too lazy to reply) would say the first number of Inodes is the system total. But even if I didn't mess with those numbers the basic math doesn't work (and yes, I verified them properly). Unless of course there is some convoluted thing where inodes are assigned to directories instead of being in some general pool of availability. So no, I absolutely do not trust that number at all!
For anyone replying I can not overemphasize that my primary focus is to resolve things that are within my control. If I know an inode attack is happening I can call support and they'll at least resolve it while refusing to give me terminal commands or whatever they did in WHM/cPanel/etc. Which is fine because that is a very quick way to get me to switch hosts. When someone is starving you don't teach them to fish and not give them a fish or give them a fish and not teach them, you give them the fish so they don't starve now and you teach them to fish so they don't starve later either! So once I have the ability to know when, in whack-a-mole, a mole will pop-up that I have the ability to "whack" it by calling support - then I'm interested in hunting down the vulnerability. I am, secondary, interested in locking down useless or misused commands (so long as I know how to turn them back on). Or disabling ports or removing garbage software included that I don't need that just dump in their own vulnerabilities.
Lastly this is not my first time dealing with the consenquences of someone else's stupidity. So I'm committed to not doing the stereotypical "it wurked thanks-k-bye" useless replies so someone else who is also at the mercy of stupid people can hopefully resolve the same or similar-enough issue in much less time. From what searching I have done this is not a day-zero attack though it's not some wildly known attack. Hopefully replies will be useful and on-topic.
Using the Linux terminal how do I determine how many inodes the file system was setup with initially?
My server came under inode attack two days ago. I've never heard the phrase inode and it still makes no sense. It's a huge vulnerability where whoever setup the file system did so not using the maximum number of inodes. Apparently no one bothered to ensure that the inode system doesn't get taken advantage of...well, someone decided to take advantage of it. Here is a paragraph from this PDF file:
I'm a web developer and I know more than enough about Linux to have a mild conversation though (wildly) far away enough to not make it the OS on my PC. I'm not a security expert or specialize in security though I have most certainly come across many security issues in the past. The support team at my host decided to play off the inode attack as a misconfiguration of modsec. I'm not sure if modsec is Linux specific, distro specific or cPanel specific. I've had several exchanges with different people because apparently I'm a technological prostitute not worth more than 30 seconds for a pointless reply. This was clearly an attack as the host is otherwise specific about attacks, maintenance and other such related things. So I do not know where the security vulnerability is nor how to prevent it from happening. I recieved an email from cPanel about an 80% usage. An hour later it was around 87%. Before I got off the phone with a worthless level 1 tech who just wanted to placate me it was at 97%. Apparently, if the inode usage reaches 100% files written/updated/whatever can get corrupted. Then a day or two of attacking this program becomes a week or two.The inode attack. In the inode attack, the victim-container keeps
allocating inode structures. Unfortunately, the mount namespace
does not isolate the inode. Neither the Linux kernel provides any
inode related control groups. As a result, all inodes on the partition
are exhausted. All operations consuming inodes fail, including
the ones from the victim-container or the host machine. In our
experiments, Alibaba Cloud is vulnerable to the inode attack. The
victim-container even gets evicted. Moreover, the host-machine
cannot create any new files either.
The purpose of my question (using a user name I wouldn't use) is that I build monitoring software and I need to know in advance if there is going to be a problem so I can solve it while I'm working solo instead of say, in the middle of a sales presentation where having everything on f#$%ing fire or already in a pile of ashes would destroy my credibility because so many people can't do their jobs correctly. I install PHP modules and often use newer (not newest, newer) versions of things that software (that I hate) like cPanel is combative against. So I have to ensure that after a server downgr...er, "upgrade" that cPanel hasn't destroyed half of my custom server configuration. I color code this stuff and everything because I just need to know that everything is nominal so I can you know, move forward with my life. I love programming but I'm not programming for the sake of programming.
So the closest I've gotten (and no one better try to placate me with this as the answer) is using df -i.
A modified example of the output:
Filesystem Inodes IUsed IFree IUse% Mounted on
/dev/ploop15222p3 216000 26949 159051 13% /
none 524288 1 54272 1% /sys/fs/cgroup
none 524288 7 54214 1% /dev
tmpfs 524288 2 54286 1% /dev/shm
tmpfs 524288 30 53988 1% /run
So the lazy person (who should be too lazy to reply) would say the first number of Inodes is the system total. But even if I didn't mess with those numbers the basic math doesn't work (and yes, I verified them properly). Unless of course there is some convoluted thing where inodes are assigned to directories instead of being in some general pool of availability. So no, I absolutely do not trust that number at all!
For anyone replying I can not overemphasize that my primary focus is to resolve things that are within my control. If I know an inode attack is happening I can call support and they'll at least resolve it while refusing to give me terminal commands or whatever they did in WHM/cPanel/etc. Which is fine because that is a very quick way to get me to switch hosts. When someone is starving you don't teach them to fish and not give them a fish or give them a fish and not teach them, you give them the fish so they don't starve now and you teach them to fish so they don't starve later either! So once I have the ability to know when, in whack-a-mole, a mole will pop-up that I have the ability to "whack" it by calling support - then I'm interested in hunting down the vulnerability. I am, secondary, interested in locking down useless or misused commands (so long as I know how to turn them back on). Or disabling ports or removing garbage software included that I don't need that just dump in their own vulnerabilities.
Lastly this is not my first time dealing with the consenquences of someone else's stupidity. So I'm committed to not doing the stereotypical "it wurked thanks-k-bye" useless replies so someone else who is also at the mercy of stupid people can hopefully resolve the same or similar-enough issue in much less time. From what searching I have done this is not a day-zero attack though it's not some wildly known attack. Hopefully replies will be useful and on-topic.