Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Blocking network access to abusive KVM guests

Blocking network access to abusive KVM guests

edited October 2012 in Help

How do you usually handle cases where you need to block network access to a specific KVM guest if for example he's sending out spam? (provided you don't have access to networking equipment, but only to your node)

I used to do it with iptables (see below), but with IP Stealing & ARP Attack functionality still not working on SolusVM v1.13.00 and CentOS 6, there's always the change a malicious user finds a free IP, statically configures it and continues his activity.

iptables -A INPUT -s ip_address -j DROP
iptables -A FORWARD -s ip_address -j DROP

The next solution was to detach the network interface of his KVM guest via virsh

# virsh detach-interface --domain kvm1xx --type bridge --mac xx:xx:xx:xx:xx:xx

Now he can try all the IPs in the world, he's not getting his traffic out.

A problem I faced with this method was that I couldn't reattach the network interface (ie when the user has logged into his VPS through VNC, cleaned it and wanted to get reconnected).

# virsh attach-interface --domain kvm1xx --type bridge --mac xx:xx:xx:xx:xx:xx --source br0
error: Failed to attach interface
error: internal error unable to execute QEMU command 'device_add': Duplicate ID 'net0' for device

Another thing is if the user clicks the Reboot button from within SolusVM, the network interface get recreated and he's back to business.

So what's your way of temporary blocking network access to KVM guests?

Fusioned | KVM SSD VPS | LSI RAID10 | Netherlands 1Gbps | R1Soft | IPv4 & IPv6 | SolusVM

Comments

  • My blog | Server Uptime | I'm not working for any providers in here, all my comments just my own opinion.image
  • TazTaz Disabled

    Why not simply suspend the user? I don't see a reason for you to allow him back if he is being malicious.

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • iptables -A FORWARD.... might work but unlikely.

    You could always just use ebtables?

    ebtables -A FORWARD -i INTERFACE_OF_KVM -j DROP

    Francisco

    BuyVM - OpenVZ & KVM Based / TUN, PPTP, FUSE, SIT & GRE Enabled! / Stallion Control Panel
  • @Taz said: Why not simply suspend the user? I don't see a reason for you to allow him back if he is being malicious.

    Because sending spam can happen accidentally (user got hacked) or on purpose (user is a spammer). I want to provide the user a 24h option to access his VPS through VNC and fix it, in case he got hacked, during which time his network connection will be blocked (and will be re-enabled after verifying that his VPS is clean). If he doesn't respond to the ticket within 24h then he's most probably a spammer, and his service gets suspended.

    Fusioned | KVM SSD VPS | LSI RAID10 | Netherlands 1Gbps | R1Soft | IPv4 & IPv6 | SolusVM
  • @Francisco said: You could always just use ebtables?

    I thought an incompatibility between CentOS 6 x64 and ebtables was the reason IP Stealing & ARP Attack isn't working in the first place so I never tried it: http://www.lowendtalk.com/discussion/4024/solusvm-ebtables-ipv6-issues Will check it out, thanks :)

    Fusioned | KVM SSD VPS | LSI RAID10 | Netherlands 1Gbps | R1Soft | IPv4 & IPv6 | SolusVM
  • @George_Fusioned said: How do you usually handle cases where you need to block network access to a specific KVM guest if for example he's sending out spam? (provided you don't have access to networking equipment, but only to your node)

    @ErawanArifNugroho said: @miTgiB

    No idea, I use a router and block it there.

    Hostigation High Resource Hosting - SolusVM OpenVZ/KVM VPS
  • @George_Fusioned said: I thought an incompatibility between CentOS 6 x64 and ebtables was the reason IP Stealing & ARP

    Nope, just Solus' inability to code properly.

    Their iptheft stuff is pretty broken and IPV6 is 100% shot.

    It was one of the major bugs we had before we moved to stallion

    Fran

    BuyVM - OpenVZ & KVM Based / TUN, PPTP, FUSE, SIT & GRE Enabled! / Stallion Control Panel
    Thanked by 1George_Fusioned
  • JarJar Member
    edited October 2012

    @Francisco Just imagine the extra income from licensing Stallion monthly.

    Just saying... ;)

    Maybe after a redesign?

  • TazTaz Disabled

    Don't build your hopes up. Francisco aint selling it.

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • @Francisco said: IPV6 is 100% shot.

    :sigh:

    RamNode: High Performance SSD and SSD-Cached VPS
    New York - Atlanta - Seattle - Netherlands - IPv6 - DDoS Protection - AS3842
  • @Nick_A said: :sigh:

    @SimpleNode - let's blame SolusVM instead of Incero this time for no IPv6 :)

    Internap VPS, Web Hosting and more - Cloud Shards | Need a VPS Upgrade?
    Query Foundry, LLC AS62638
  • @concerto49 said: @SimpleNode - let's blame SolusVM instead of Incero this time for no IPv6 :)

    IPv6 is there with SolusVM but it's, well, :sigh:

    RamNode: High Performance SSD and SSD-Cached VPS
    New York - Atlanta - Seattle - Netherlands - IPv6 - DDoS Protection - AS3842
    Thanked by 1George_Fusioned
  • JarJar Member

    @Taz Everything has a price ;)

  • TazTaz Disabled

    I doubt.

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • ebtables, allow his MAC only to use 127.0.0.1 and then block all other traffic from it.

    Opinions/Posts are to be assumed my own/personal and not company related unless obvious
    Working @ EDIS and owning some others (and/or parts of) | Available for consulting | http://as198412.net | https://william.si

    Thanked by 1George_Fusioned
  • @William said: ebtables, allow his MAC only to use 127.0.0.1 and then block all other traffic from it.

    Thanks I'll try that out :)

    Fusioned | KVM SSD VPS | LSI RAID10 | Netherlands 1Gbps | R1Soft | IPv4 & IPv6 | SolusVM
  • @Nick_A said: IPv6 is there with SolusVM but it's, well, :sigh:

    It's practically for IPv6 address "management" only atm. Guests have to be configured manually (ie no DHCPv6), no IP Stealing functionality... and I'm pretty sure this won't change for at least the next 6 months.

    Fusioned | KVM SSD VPS | LSI RAID10 | Netherlands 1Gbps | R1Soft | IPv4 & IPv6 | SolusVM
  • fileMEDIAfileMEDIA Member
    edited October 2012

    Yeah bad things, i talked with phil a few weeks ago and no ip stealing with ipv6 and dhcpv6 is planned. I hope onapp includes the new iso function very soon (v3), then i go with onapp.

    fileMEDIA - Dedify: German Private Cloud @ https://www.dedify.com - CloudStack+XenServer+SSD

  • @fileMEDIA said: Yeah bad things, i talked with phil a few weeks ago and no ip stealing with ipv6 and dhcpv6 is planned. I hope onapp includes the new iso function very soon (v3), then i go with onapp.

    Mind you that OnApp is now $500/month minimum.

    Fusioned | KVM SSD VPS | LSI RAID10 | Netherlands 1Gbps | R1Soft | IPv4 & IPv6 | SolusVM
  • @George_Fusioned said: Mind you that OnApp is now $500/month minimum.

    Not necessarily :)

  • No problem, each node 4 to 12 cores. We have lot´s of them, that´s than 500 per month.

    fileMEDIA - Dedify: German Private Cloud @ https://www.dedify.com - CloudStack+XenServer+SSD

  • @GetKVM_Ash said: Not necessarily :)

    You mean by using the Free version? Because otherwise:

    • The minimum deployment for the full version is one cloud (one controller server) and up to 40 hypervisor CPU cores, for $500 per month.

    Source: http://onapp.com/getonapp/

    @fileMEDIA said: No problem, each node 4 to 12 cores. We have lot´s of them, that´s than 500 per month.

    Well then no problem indeed :)

    Fusioned | KVM SSD VPS | LSI RAID10 | Netherlands 1Gbps | R1Soft | IPv4 & IPv6 | SolusVM
  • @George_Fusioned said: The minimum deployment for the full version is one cloud (one controller server) and up to 40 hypervisor CPU cores, for $500 per month.

    OnApp pricing is negotiable.

    Loading Deck - Cloud Consultants: Server Management | Consultancy | Software Development
  • @jhadley said: OnApp pricing is negotiable.

    Nice to hear. To be honest I still have an option until the end of October for their old pricing ($100 per cloud + $10 per core / no minimum) since I got in touch with them before they announced their new pricing. Still considering it though.. :/

    Fusioned | KVM SSD VPS | LSI RAID10 | Netherlands 1Gbps | R1Soft | IPv4 & IPv6 | SolusVM
  • @George_Fusioned said: Still considering it though.. :/

    I think you can negotiate lower than that :P. Either way it's worth it - OnApp really is fantastic.

    Loading Deck - Cloud Consultants: Server Management | Consultancy | Software Development
  • @jhadley said: I think you can negotiate lower than that :P. Either way it's worth it - OnApp really is fantastic.

    Yes you can, we have a good price, but the only thing is you need a different "cloud" for every location, and I'm not paying $100/mo + a $200/mo Server to host the CP on.

    I would rather re-invest the money I would spend on OnApp over a 2 year period into getting my own custom VPS panel made.

    LoveVPS - 2GB RAM - 25 GB RAID 10 Spring Sale from $7.00/mo - We provide KVM Virtual Servers with love!

  • @George_Fusioned said: It's practically for IPv6 address "management" only atm. Guests have to be configured manually (ie no DHCPv6)

    Maybe I'm misunderstanding, but the most recent update has a network configuration button that actually does configure IPv6 on KVM guests.

    RamNode: High Performance SSD and SSD-Cached VPS
    New York - Atlanta - Seattle - Netherlands - IPv6 - DDoS Protection - AS3842
  • @Taz said: I doubt.

    Well it's "true" to some extent. I'm sure if you paid enough you can buy the entire buyvm.

    But then yes, Fran might not want to sell even if offered a billion. Who knows.

    Internap VPS, Web Hosting and more - Cloud Shards | Need a VPS Upgrade?
    Query Foundry, LLC AS62638
  • @concerto49 said: Well it's "true" to some extent. I'm sure if you paid enough you can buy the entire buyvm.

    But then yes, Fran might not want to sell even if offered a billion. Who knows.

    I think fran's wants to but Aldryic is like NAWWWWWWW

Sign In or Register to comment.