Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Process names
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Process names

edited April 2015 in Help

Hello,

I'm looking the for the process names for the following pieces of software

TOR
Torrents
Nested Virtualization
@home software
IRC (bouncers)
IRC (servers)
Hipleap & alternatives
bitcoin miners

Regards,
Tom

«1

Comments

  • They can be changed thus rendering your method useless. Still, you'll catch many abusers.

  • edited April 2015

    @Traffic said:
    They can be changed thus rendering your method useless. Still, you'll catch many abusers.

    Just caught 1 TOR & 2 torrents

  • TrafficTraffic Member
    edited April 2015

    @TinyTunnel_Tom said:
    Just caught 1 TOR & 2 torrents


    Traffic said: Still, you'll catch many abusers.

    ;)

    Thanked by 1TinyTunnel_Tom
  • TrafficTraffic Member
    edited April 2015

    Out of my head:

    Bitcoin miners:

    minerd

    bitcoind > normal coin daemon - there is no need for it to mine!

    litecoind > normal coin daemon - there is no need for it to mine!

    primecoind > normal coin daemon - there is no need for it to mine!

    [coin-name-here]d > normal coin daemon - there is no need for it to mine!

  • I hope no ones going to help you block legitimate software, find it out yourself....

  • [coin-name-here]d

    Not always the case.... and like William said, not going to help you find reasons to suspend people's VPS....

    Been mining on a very well known major host for 18 months now, pay my bill on time every month, host is aware, no complaints...

    Some people on this forum spent way too much time trying to "catch" people, so they can suspend their VPS. It makes your company look unprofessional. Focus more on your infrastructure.

    Thanked by 1Mark_R
  • @William said:
    I hope no ones going to help you block legitimate software, find it out yourself....

    You made a point. Updated my post to show common sense in those who can be something else.

    Also, @TinyTunnel_Tom : I can get any app and name it tor - make sure you are really sure of what it is before blocking it.

  • @funyuns_are_awesome
    @William
    @Traffic
    90% of this is not for suspensions. We have torrent clients running on our network, we just actively monitor them more often. Both of them are seeding Linux ISOs which we are fully aware of however we have made a few adjustments to their plans accordingly. Regarding TOR we have a strict TOR policy and do not instantley ban but inquire with the VPS user. We even monitor a few game servers just to ensure they do not go overkill on any resources. I intend to make a nodewatch (watch) style system to just monitor what software is running our on network.

  • You should as ISP NEVER look what a process does or monitor it - In the EU this is even already illegal as it is not your data.

  • @William said:
    You should as ISP NEVER look what a process does or monitor it - In the EU this is even already illegal as it is not your data.

    So why is nodewatch allowed? It runs I think ps then emails it to the admin upon outbound DoS?

  • @TinyTunnel_Tom said:
    So why is nodewatch allowed? It runs I think ps then emails it to the admin upon outbound DoS?

    I'm sure that's an exception because your only using that information to stop further breaking of the computer misuse act. As soon as the info in no longer needed it should be deleted.

  • jarjar Patron Provider, Top Host, Veteran

    Well, for one thing, a host is obviously obligated to look at the node performance and should not be restricted from using commands like "ps" and "top" to identify problems. Willingly tying one's hands behind one's back so that you are incapable of basic system administration tasks does not benefit customers. On OpenVZ, this does mean seeing process names. People here don't like that, so it's better not to talk about doing it.

    However, process names won't get you very far. Focus on what is causing problems at what time, and not on who is running what. The worst problems will be caused by processes with unpredictable names.

  • @rmlhhd said:
    I'm sure that's an exception because your only using that information to stop further breaking of the computer misuse act. As soon as the info in no longer needed it should be deleted.

    Thats exactly all mine does the same as nodewatch so where is the difference.

    @Jar said:
    Well, for one thing, a host is obviously obligated to look at the node performance and should not be restricted from using commands like "ps" and "top" to identify problems. Willingly tying one's hands behind one's back so that you are incapable of basic system administration tasks does not benefit customers. On OpenVZ, this does mean seeing process names. People here don't like that, so it's better not to talk about doing it.

    However, process names won't get you very far. Focus on what is causing problems at what time, and not on who is running what. The worst problems will be caused by processes with unpredictable names.

    Thank you Jar. We are aware of this. We also monitor CPU (sort of OVZ Kernel is quite bad at reporting this) this allows us to view CPU intesvive items (miners). We also monitor I/O which is good for I/O intense programs. And Conntrack + packets, this process name is mainly used just to catch out the odd few items as the more we abuse can prevent the better the performance.

    I'm not saying all these processes are banned. Most are not, just some can cause abuse to we like to be helpful in everyway

  • WilliamWilliam Member
    edited April 2015

    TinyTunnel_Tom said: So why is nodewatch allowed? It runs I think ps then emails it to the admin upon outbound DoS?

    Because it gets data by the packet counter - Not by inspecting the traffic. Second would be illegal, first isn't.

    Looking at the process name itself is also not illegal (unless you have to enter the VM for it) - Analyzing it (i.e. look if Tor middle or exit node, Traffic and alike) is.

  • @William said:

    yes I am aware I dont monitor data other than conntrack (when high packet counter) same as nodewatch. To get process names we do not enter container. We just question anytime TOR appears

  • Run a miner as httpd, process watching thwarted

  • @doughmanes said:
    Run a miner as httpd, process watching thwarted

    When I see CPU @ 100% im going to be suspicious

  • @TinyTunnel_Tom said:
    When I see CPU @ 100% im going to be suspicious

    Maybe the, uh, "home videos" they have saved on their server is just really good and in high demand :P

    Thanked by 2doughmanes Mark_R
  • KwiceroLTDKwiceroLTD Member
    edited April 2015

    @TinyTunnel_Tom said:
    Hello,

    I'm looking the for the process names for the following pieces of software

    TOR
    Torrents
    Nested Virtualization
    home software
    IRC (bouncers)
    IRC (servers)
    Hipleap & alternatives
    bitcoin miners

    Regards,
    Tom

    Block the following process:
    'xinetd'

    Will solve problems...

  • @user123 said:
    Maybe the, uh, "home videos" they have saved on their server is just really good and in high demand :P

    Still violating fair share policy.

  • Some will even try to throttle mining. I deal with node abuse on a pretty consistent basis and have seen everything. Some have even tried using "xhide", an old process hider.

  • Because, you know, legit software and such requires xhide to hide processes ;)

  • Not your f*ing problem how your customers runs software. You should not even know that - it implies you looked into this VPS and violated customer privacy.

  • user123user123 Member
    edited April 2015

    @doughmanes said:
    Because, you know, legit software and such requires xhide to hide processes ;)

    So THAT's how you found out I was running virtualstripperd??? :(

    ETA: You run a VPS company?

    Thanked by 1doughmanes
  • So what abuse do you hope to stop by killing irc bouncers? They use almost no bandwidth or CPU...

  • @joereid said:
    So what abuse do you hope to stop by killing irc bouncers? They use almost no bandwidth or CPU...

    none. Just mainly want to distinguish between servers and bouncers to stop false positives.

  • @TinyTunnel_Tom said:
    none. Just mainly want to distinguish between servers and bouncers to stop false positives.

    You can do that easily by looking at the traffic and not snooping on you customer's processes. Servers typically listen on tcp/6667 and will have a ton of connections while bouncers won't.

  • @joereid said:
    You can do that easily by looking at the traffic and not snooping on you customer's processes. Servers typically listen on tcp/6667 and will have a ton of connections while bouncers won't.

    Good idea. Thank you

  • @TinyTunnel_Tom said:
    We have torrent clients running on our network, we just actively monitor them more often. Both of them are seeding Linux ISOs which we are fully aware of however we have made a few adjustments to their plans accordingly.

    If you monitor for torrent clients, either let the user know you don't allow clients (which I think you said you did in another thread, on behalf of MyServerPlanet) or let them know you'll adjust their plan. Don't snoop through their account looking at what they're torrenting. If you admit to doing that, what else are you looking at?

    If you allow torrents, but limit accounts to XX% CPU usage, and XXmbps upload, then make sure it's clear to users before limiting their account.

  • @hostnoob said:
    If you allow torrents, but limit accounts to XX% CPU usage, and XXmbps upload, then make sure it's clear to users before limiting their account.

    We don't snoop within the containers purely if torrent is running from ps. If they are using lots of BW we will work with them to keep both sides happy. As for CPU its fair share. basically just dont max it 24/7 which is kinder than matts 2.5%

    We had one person trigger the packet warning earlier, turned out nodewatch ran ps and found torrent running we now have adjusted both sides and he happily is seeding Linux ISOs he showed.

This discussion has been closed.