Blocking network access to abusive KVM guests

George_Fusioned

How do you usually handle cases where you need to block network access to a specific KVM guest if for example he's sending out spam? (provided you don't have access to networking equipment, but only to your node)

I used to do it with iptables (see below), but with IP Stealing & ARP Attack functionality still not working on SolusVM v1.13.00 and CentOS 6, there's always the change a malicious user finds a free IP, statically configures it and continues his activity.

iptables -A INPUT -s ip_address -j DROP
iptables -A FORWARD -s ip_address -j DROP

The next solution was to detach the network interface of his KVM guest via virsh

# virsh detach-interface --domain kvm1xx --type bridge --mac xx:xx:xx:xx:xx:xx

Now he can try all the IPs in the world, he's not getting his traffic out.

A problem I faced with this method was that I couldn't reattach the network interface (ie when the user has logged into his VPS through VNC, cleaned it and wanted to get reconnected).

# virsh attach-interface --domain kvm1xx --type bridge --mac xx:xx:xx:xx:xx:xx --source br0
error: Failed to attach interface
error: internal error unable to execute QEMU command 'device_add': Duplicate ID 'net0' for device

Another thing is if the user clicks the Reboot button from within SolusVM, the network interface get recreated and he's back to business.

So what's your way of temporary blocking network access to KVM guests?

ErawanArifNugroho

@KuJoe @miTgiB

Taz

Why not simply suspend the user? I don't see a reason for you to allow him back if he is being malicious.

Jack

@Francisco.

Francisco

iptables -A FORWARD.... might work but unlikely.

You could always just use ebtables?

ebtables -A FORWARD -i INTERFACE_OF_KVM -j DROP

Francisco

George_Fusioned

@Taz said: Why not simply suspend the user? I don't see a reason for you to allow him back if he is being malicious.

Because sending spam can happen accidentally (user got hacked) or on purpose (user is a spammer). I want to provide the user a 24h option to access his VPS through VNC and fix it, in case he got hacked, during which time his network connection will be blocked (and will be re-enabled after verifying that his VPS is clean). If he doesn't respond to the ticket within 24h then he's most probably a spammer, and his service gets suspended.

George_Fusioned

@Francisco said: You could always just use ebtables?

I thought an incompatibility between CentOS 6 x64 and ebtables was the reason IP Stealing & ARP Attack isn't working in the first place so I never tried it: http://www.lowendtalk.com/discussion/4024/solusvm-ebtables-ipv6-issues Will check it out, thanks :)

miTgiB

@George_Fusioned said: How do you usually handle cases where you need to block network access to a specific KVM guest if for example he's sending out spam? (provided you don't have access to networking equipment, but only to your node)

@ErawanArifNugroho said: @miTgiB

No idea, I use a router and block it there.

Francisco

@George_Fusioned said: I thought an incompatibility between CentOS 6 x64 and ebtables was the reason IP Stealing & ARP

Nope, just Solus' inability to code properly.

Their iptheft stuff is pretty broken and IPV6 is 100% shot.

It was one of the major bugs we had before we moved to stallion

Fran

jarland

@Francisco Just imagine the extra income from licensing Stallion monthly.

Just saying... ;)

Maybe after a redesign?

Taz

Don't build your hopes up. Francisco aint selling it.

Nick_A

@Francisco said: IPV6 is 100% shot.

:sigh:

concerto49

@Nick_A said: :sigh:

@SimpleNode - let's blame SolusVM instead of Incero this time for no IPv6 :)

Nick_A

@concerto49 said: @SimpleNode - let's blame SolusVM instead of Incero this time for no IPv6 :)

IPv6 is there with SolusVM but it's, well, :sigh:

jarland

@Taz Everything has a price ;)

Taz

I doubt.

William

ebtables, allow his MAC only to use 127.0.0.1 and then block all other traffic from it.

George_Fusioned

@William said: ebtables, allow his MAC only to use 127.0.0.1 and then block all other traffic from it.

Thanks I'll try that out :)

George_Fusioned

@Nick_A said: IPv6 is there with SolusVM but it's, well, :sigh:

It's practically for IPv6 address "management" only atm. Guests have to be configured manually (ie no DHCPv6), no IP Stealing functionality... and I'm pretty sure this won't change for at least the next 6 months.

fileMEDIA

Yeah bad things, i talked with phil a few weeks ago and no ip stealing with ipv6 and dhcpv6 is planned. I hope onapp includes the new iso function very soon (v3), then i go with onapp.

George_Fusioned

@fileMEDIA said: Yeah bad things, i talked with phil a few weeks ago and no ip stealing with ipv6 and dhcpv6 is planned. I hope onapp includes the new iso function very soon (v3), then i go with onapp.

Mind you that OnApp is now $500/month minimum.

GetKVM_Ash

@George_Fusioned said: Mind you that OnApp is now $500/month minimum.

Not necessarily :)

fileMEDIA

No problem, each node 4 to 12 cores. We have lot´s of them, that´s than 500 per month.

George_Fusioned

@GetKVM_Ash said: Not necessarily :)

You mean by using the Free version? Because otherwise:

• The minimum deployment for the full version is one cloud (one controller server) and up to 40 hypervisor CPU cores, for $500 per month.

Source: http://onapp.com/getonapp/

@fileMEDIA said: No problem, each node 4 to 12 cores. We have lot´s of them, that´s than 500 per month.

Well then no problem indeed :)

jhadley

@George_Fusioned said: The minimum deployment for the full version is one cloud (one controller server) and up to 40 hypervisor CPU cores, for $500 per month.

OnApp pricing is negotiable.

George_Fusioned

@jhadley said: OnApp pricing is negotiable.

Nice to hear. To be honest I still have an option until the end of October for their old pricing ($100 per cloud + $10 per core / no minimum) since I got in touch with them before they announced their new pricing. Still considering it though.. :/

jhadley

@George_Fusioned said: Still considering it though.. :/

I think you can negotiate lower than that :P. Either way it's worth it - OnApp really is fantastic.

LV_Matt

@jhadley said: I think you can negotiate lower than that :P. Either way it's worth it - OnApp really is fantastic.

Yes you can, we have a good price, but the only thing is you need a different "cloud" for every location, and I'm not paying $100/mo + a $200/mo Server to host the CP on.

I would rather re-invest the money I would spend on OnApp over a 2 year period into getting my own custom VPS panel made.

Nick_A

@George_Fusioned said: It's practically for IPv6 address "management" only atm. Guests have to be configured manually (ie no DHCPv6)

Maybe I'm misunderstanding, but the most recent update has a network configuration button that actually does configure IPv6 on KVM guests.

concerto49

@Taz said: I doubt.

Well it's "true" to some extent. I'm sure if you paid enough you can buy the entire buyvm.

But then yes, Fran might not want to sell even if offered a billion. Who knows.

Jack

@concerto49 said: Well it's "true" to some extent. I'm sure if you paid enough you can buy the entire buyvm.

But then yes, Fran might not want to sell even if offered a billion. Who knows.

I think fran's wants to but Aldryic is like NAWWWWWWW