My Profile Photo

Ionut Gavrilut


DevOps Enthusiast | Linux System Administrator | Certified Jenkins Engineer


Cryptonight attack on Apache SOLR (Solve and Prevent)

Apache Solr should listen to local IPs only, and not be reachable from the Internet. A public Solr can be victim of cryptonight attacks (monero mining) and huge load.

In order to solve this, you need to:

  • Kill the processes of that script. Find them with top and ps aux | grep solr (if Solr run with solr user) commands.
  • Remove crontab entries for solr user. Run crontab -e to edit the crontab.
  • Delete the temporary files from /var/tmp/ and /tmp/ that were used by this. Also check and remove /opt/solr/server/solr/configsets/default/conf/configoverlay.json.
  • Restart the SOLR service

To make the Solr application to listen on some IP, you need to change SOLR_PORT and change add some SOLR_OPTS in $SOLR_HOME/bin/solr.in.sh (for Linux)

...
SOLR_HOST="192.168.0.111"
...
SOLR_OPTS="$SOLR_OPTS -Djetty.host=192.168.0.111"
...