adibexpress

Blog

  • Linux process in uninterruptible sleep state

    In Linux, a process in an uninterruptible sleep state (D state) is typically waiting for I/O operations (like disk or network) and cannot be killed until the system call completes. 

    root@vps-2153e875:~# ps -eo pid,state,comm | awk '$2 == "D"'
2662710 D find

root@vps-2153e875:~# cat /proc/2662710/stat
2662710 (find) D 2660486 2662710 2660486 34817 2662710 4456448 162 0 0 0 5 40 0 0 20 0 1 0 470174814 5050368 576 18446744073709551615 94339750293504 94339750436697 140720879474736 0 0 0 0 0 0 1 0 0 17 0 0 0 0 0 0 94339750490160 94339750499624 94340756328448 140720879479322 140720879479338 140720879479338 140720879480810 0

    Unlike standard “idle” processes, those in state D contribute to the system load average, often causing high load numbers even if CPU usage is low.

    Common causes of a process in D state are NFS issues (a lost connection to a NFS is the most frequent cause) or Failing Hardware (hardware malfunctions that prevent I/O completion).

    If the resource becomes available (e.g., the NFS server comes back online), the process will resume automatically. For storage issues, attempting a “lazy” unmount (umount -l) or resetting the specific hardware device may help. If the process is stuck due to a kernel bug or permanently lost hardware, a system reboot is often the only way to clear it.

    (more…)

  • SSL certificates with Certbot on HAProxy

    As you may already know, Certbot is a free, open-source software tool designed to automatically obtain and install SSL/TLS certificates for websites. It is developed by the Electronic Frontier Foundation (EFF) and serves as the primary client for Let’s Encrypt, a free certificate authority.

    You can install certbot using your OS package manager (apt/yum). After that, if you already have an Apache Webserver running on http://<yourdomain>, then you can just run ‘sudo certbot –apache‘ which will use Certbot Apache plugin to detect the configuration and domain, then it generates/installs the SSL key/certificate, and automatically will modify web server configurations to use the new certificate. The first time you run it, you will be asked for an email address and prompted to agree to terms of service; it will also ask by prompting you to confirm the domain for which you are generating the certificate, finally it will ask if you want automatically redirect all HTTP traffic to HTTPS on your web server configuration. The certificate will be valid for 90 days, and to renew it you will have to run ‘sudo certbot renew‘.

    Below you have more details about what internally happens when you run the command certbot.

    (more…)

  • Remote Code Execution vulnerability exploitation

    Disclaimer note: The information, examples and screenshots provided in this article are for general informational and learning purposes only. The author assumes no responsibility or liability for any results obtained from the use of this information.

    A Remote Code Execution (RCE) vulnerability is a critical security flaw that allows an attacker to run arbitrary code or commands on a target machine from a remote location. Because RCE does not require physical access to the device or prior authentication, it is considered one of the most dangerous types of cybersecurity vulnerabilities.

    RCE typically occurs when an application or server processes user-supplied data insecurely, allowing an attacker to “trick” the system into executing malicious instructions.

    Successful exploitation of an RCE vulnerability often results in full system compromise. Attackers can steal sensitive data, deploy malware, attack other systems within a corporate network, or use the compromised server resources to run cryptomining software.

    (more…)

  • Java thread blocked on a native method

    When a Java application is experiencing performance issues like slowness, or it’s being unresponsive, we usually check the following things in order to troubleshoot.

    • Threads consuming high CPU
    • Threads marked as BLOCKED
    • GC pause times
    • Connection pool
    • Application log

    If our Java application makes http(s) requests to an external site or if our application depends on a database, then the issues and the delays from these remote resources affect directly our application response time. In these scenarios, although the thread is effectively “blocked” waiting for the network response, the JVM reports it as RUNNABLE because it can’t track the internal state of a native method. In Java, native threads are execution units managed directly by the underlying operating system (OS) kernel.

    (more…)

  • Unix Domain Socket example with Fail2ban

    In Linux, Stream Sockets are primarily implemented in two domains. The domain specifies the protocol family and addressing scheme used.

    • Internet Domain (AF_INET/AF_INET6): Uses the Transmission Control Protocol (TCP) to communicate over a network. They use IP addresses and port numbers for addressing. 
    • Unix Domain (AF_UNIX): Used for Inter-Process Communication (IPC) between programs on the same machine. In this context, they behave like a bidirectional pipe. They are addressed via filesystem paths (e.g., /tmp/file.socket) and are faster than network sockets as they avoid network protocol overhead.

    In this post I’ll cover an example of a Unix Domain Socket by using the fail2ban utility.

    Fail2Ban is an open-source intrusion prevention software that protects servers from automated attacks, like brute-force login attempts, by monitoring log files for suspicious activity and automatically banning offending IP addresses using firewall rules (e.g., iptables/nftables).

    (more…)

  • How a SYN flood attack looks

    Some weeks ago, on December 22, 2025, after logging into one of my existing VPS servers (IP 51.79.160.8) which has an Apache process listening on ports 80 and 443, I noticed on the output of the command ‘netstat -ptuan’ that there were around 100 connections (TCP Sockets) on my server port 443 in ‘SYN_RECV‘ state.

    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
...
tcp        0      0 51.79.160.8:443         177.8.135.235:47130     SYN_RECV    -
tcp        0      0 51.79.160.8:443         177.8.134.2:50381       SYN_RECV    -
tcp        0      0 51.79.160.8:443         177.8.132.49:48273      SYN_RECV    -
tcp        0      0 51.79.160.8:443         177.8.135.108:59527     SYN_RECV    -
tcp        0      0 51.79.160.8:443         177.8.132.62:42140      SYN_RECV    -
tcp        0      0 51.79.160.8:443         177.8.134.237:32949     SYN_RECV    -
tcp        0      0 51.79.160.8:443         177.8.135.149:27714     SYN_RECV    -
tcp        0      0 51.79.160.8:443         177.8.132.77:28729      SYN_RECV    -
tcp        0      0 51.79.160.8:443         177.8.132.234:37897     SYN_RECV    -
tcp        0      0 51.79.160.8:443         177.8.132.120:53457     SYN_RECV    -
...
    (more…)

  • First 24 hours haproxy statistics

    My WordPress blog hosted on https://adib.express/ was deployed on a Kubernetes on-premise cluster by the end of December 2025, but it was not until January 1, 2026, that I secured it and opened the firewalls to make it publicly accessible.

    As a frontend, I have HAProxy which serves on both ports 80 and 443.

    Typical HAProxy log entry shows as follows:

    2026-01-03T21:29:10.939487+00:00 vps-2153e875 haproxy[351604]: 79.116.218.196:58439 [03/Jan/2026:21:29:10.793] all~ wordpress_80/kube-service-web 0/0/7/ki/145 200 12740 - - ---- 2/2/0/0/0 0/0 "GET https://adib.express/ HTTP/2.0"

    The current log file is ‘/var/log/haproxy.log’ and it’s rotated daily, and by the time I was collecting this information it was January 3, 2026, so the file ‘haproxy.log.1’ had all the events from January 2, 2026. Let’s check this log, and extract the requests which experienced 404 (Not Found) error responses, most of them generated by requests from bots/botnets/attackers.

    (more…)

  • Hello world!

    Welcome to my personal Blog.

    Adib Ahmed Akhtar