Today I tried to push my togo-lab.io setup (see 2nd block at my landing page for all services<\/a>) a bit further than strictly necessary. So maybe you noticed some outages. <\/p>\n Why I did this? Not only for production security reasons, but also out of curiosity: How far can I go with limited resources? I want to understand where the real limits for my setup are.<\/p>\n In this experiment, I wanted to see whether a single small VPS could reasonably host Nextcloud, a Matrix server, and Gitea, and still handle antivirus scanning for file uploads. At first glance it looked tight, but maybe possible. In practice, it pushed this small VPS over the edge.<\/p>\n That outcome was useful for my learning and understanding. When things fail or become unstable, I usually learn much more than when everything works smoothly. As a technician, breaking things on purpose for learning is, for me, typically the fastest way to understand them.<\/p>\n The following section is a post-mortem of that experiment: what it revealed, what I learned from it, and what would be required if I want to add antivirus scanning in the future.<\/p>\n Context:<\/strong> The goal was to add antivirus scanning for uploaded files<\/strong> in Nextcloud, as preparation for future collaborative use.<\/p>\n Enable server-side antivirus scanning for Nextcloud uploads using ClamAV<\/strong>, with the following constraints:<\/p>\n This is a reasonable baseline requirement once multiple external contributors are involved.<\/p>\n What was tried<\/strong><\/p>\n Installed ClamAV daemon<\/p>\n<\/li>\n Tuned Added strict systemd memory limits<\/p>\n<\/li>\n Disabled background scans<\/p>\n<\/li>\n Socket-based integration with Nextcloud<\/p>\n<\/li>\n **changes to the default best I got, via Observed behavior<\/strong><\/p>\n Conclusion<\/strong>\nEven heavily tuned, resident ClamAV is not viable<\/strong> on a 1 GB VPS that already runs multiple services.<\/p>\n What was tried<\/strong><\/p>\n FYI Final authoritative configuration<\/strong> in NextCloud App “Antivirus for Files”<\/p>\n Observed behavior<\/strong><\/p>\n Conclusion<\/strong>\nEven non-resident scanning adds too much peak load<\/strong> for this VPS when combined with:<\/p>\n The Nextcloud Antivirus app is currently disabled<\/strong>.<\/p>\n Reasons:<\/p>\n After disabling AV and rebooting:<\/p>\n Meaning: <\/p>\n 1 GB VPS is already at the limit<\/strong> for:<\/p>\n Antivirus scanning is loadwise not \u201cfree\u201d<\/strong>, even in executable mode.<\/p>\n<\/li>\n Security features that trigger CPU + IO spikes<\/strong> must be sized for worst-case concurrency<\/em>, not idle averages.<\/p>\n<\/li>\n Adding AV without increasing resources creates negative security<\/strong> by destabilizing the system.<\/p>\n<\/li>\n<\/ol>\n Antivirus scanning will be mandatory<\/strong> once this instance is used for real group collaboration.<\/p>\n That will require one of the following<\/strong> options:<\/p>\n This is acceptable temporarily<\/strong>, but not a final state<\/strong>.<\/p>\n This experiment was intentional and valuable, learned a lot, also during configuration and tuning.<\/p>\n It clarified:<\/p>\n When collaboration expands, the infrastructure will be expanded accordingly<\/strong>.\nSo clamav and configuration stays, but Nextcloud App is disabled for now, but not uninstalled.<\/p>","protected":false},"excerpt":{"rendered":" Failing Experiments Are Useful Today I tried to push my togo-lab.io setup (see 2nd block at my landing page for all services) a bit further than strictly necessary. So maybe you noticed some outages. Why I did this? Not only for production security reasons, but also out of curiosity: How far can I go with … Continue reading “Post-Mortem: Antivirus Integration on a 1 GB Nextcloud VPS (failed due load)”<\/span><\/a><\/p>","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[5,16],"post_folder":[],"class_list":["post-190","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-engine-room-log","tag-linux"],"_links":{"self":[{"href":"https:\/\/togo-lab.io\/index.php?rest_route=\/wp\/v2\/posts\/190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/togo-lab.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/togo-lab.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/togo-lab.io\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/togo-lab.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=190"}],"version-history":[{"count":7,"href":"https:\/\/togo-lab.io\/index.php?rest_route=\/wp\/v2\/posts\/190\/revisions"}],"predecessor-version":[{"id":197,"href":"https:\/\/togo-lab.io\/index.php?rest_route=\/wp\/v2\/posts\/190\/revisions\/197"}],"wp:attachment":[{"href":"https:\/\/togo-lab.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/togo-lab.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/togo-lab.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=190"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/togo-lab.io\/index.php?rest_route=%2Fwp%2Fv2%2Fpost_folder&post=190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n
\nThis server hosts multiple self-managed services on a small VPS (1 GB RAM, 1 vCPU):<\/p>\n\n
\nInitial Goal<\/h4>\n
\n
\nAttempted Approaches<\/h4>\n
1. ClamAV Daemon (
clamd<\/code>) + Nextcloud (Socket Mode)<\/h5>\n\n
clamd.conf<\/code> aggressively (single thread, reduced parsers, size limits)<\/p>\n<\/li>\n\/etc\/clamav\/clamd.conf<\/code><\/p>\n # === VPS-safe limits ===\n MaxThreads 1\n ConcurrentDatabaseReload no\n\n # File size limits (Nextcloud uploads)\n MaxFileSize 50M\n MaxScanSize 75M\n StreamMaxLength 75M\n\n # Archive \/ recursion limits\n MaxRecursion 10\n MaxFiles 5000\n\n # Timeouts\n ReadTimeout 120\n CommandReadTimeout 120\n\n # Disable low-value \/ memory-heavy scanners\n ScanHTML false\n ScanMail false\n ScanSWF false\n ScanHWP3 false\n ScanXMLDOCS false\n\n # Reduce bytecode impact\n Bytecode true\n BytecodeTimeout 20000\n\n # Reduce RAM further (Nextcloud upload use-case)\n PhishingSignatures false\n PhishingScanURLs false\n DisableCache true\n ExtendedDetectionInfo false<\/code><\/pre>\n<\/li>\nfree -h<\/code><\/p>\n<\/li>\n<\/ul>\n\n\n
\n \n<\/th>\n total<\/th>\n used<\/th>\n free<\/th>\n shared<\/th>\n buff\/cache<\/th>\n available<\/th>\n<\/tr>\n<\/thead>\n \n Mem:<\/td>\n 960Mi<\/td>\n 926Mi<\/td>\n 68Mi<\/td>\n 31Mi<\/td>\n 101Mi<\/td>\n 33Mi<\/td>\n<\/tr>\n \n Swap:<\/td>\n 1.0Gi<\/td>\n 843Mi<\/td>\n 180Mi<\/td>\n –<\/td>\n –<\/td>\n –<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n $ swapon --show\n NAME TYPE SIZE USED PRIO\n \/swapfile file 1024M 848.5M -2`<\/code><\/pre>\n\n
clamd<\/code> resident memory usage: ~500\u2013600 MB<\/li>\n
\n2. ClamAV Executable Mode (
clamscan<\/code> on upload)<\/h5>\n\n
clamd<\/code> entirely<\/li>\n\n
Executable<\/code><\/li>\n\/usr\/bin\/clamscan<\/code><\/li>\n--no-summary,--infected,--max-filesize=50M,--max-scansize=75M<\/code><\/li>\n104857600<\/code><\/li>\nYes<\/code><\/li>\nNo<\/code><\/li>\noff<\/code> (unchecked)<\/li>\n<\/ul>\n\n
\n
\n
\nFinal Decision<\/h4>\n
Antivirus disabled (for now)<\/h5>\n
\n
\n
\n
\nPost-Mortem Summary<\/h4>\n
\n\n
\n \nItem<\/th>\n Result<\/th>\n<\/tr>\n<\/thead>\n \n Configuration error<\/td>\n \u274c No<\/td>\n<\/tr>\n \n ClamAV bug<\/td>\n \u274c No<\/td>\n<\/tr>\n \n Nextcloud bug<\/td>\n \u274c No<\/td>\n<\/tr>\n \n VPS resource limit<\/td>\n \u2705 Yes<\/td>\n<\/tr>\n \n Wrong architecture<\/td>\n \u2705 Yes (for this size)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \n
\nLessons Learned<\/h4>\n
\n
\n
\ncombined.<\/li>\n<\/ul>\n<\/li>\n
\nWhen Antivirus Will Be Re-Enabled<\/h4>\n
Option A \u2014 VPS Upgrade (actual preferred)<\/h5>\n
\n
Option B \u2014 Service Split<\/h5>\n
\n
\nCurrent Security Posture (Interim)<\/h4>\n
\n
\nClosing Notes<\/h4>\n
\n