Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Blocking network access to abusive KVM guests
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Blocking network access to abusive KVM guests

edited October 2012 in Help

How do you usually handle cases where you need to block network access to a specific KVM guest if for example he's sending out spam? (provided you don't have access to networking equipment, but only to your node)

I used to do it with iptables (see below), but with IP Stealing & ARP Attack functionality still not working on SolusVM v1.13.00 and CentOS 6, there's always the change a malicious user finds a free IP, statically configures it and continues his activity.

iptables -A INPUT -s ip_address -j DROP
iptables -A FORWARD -s ip_address -j DROP

The next solution was to detach the network interface of his KVM guest via virsh

# virsh detach-interface --domain kvm1xx --type bridge --mac xx:xx:xx:xx:xx:xx

Now he can try all the IPs in the world, he's not getting his traffic out.

A problem I faced with this method was that I couldn't reattach the network interface (ie when the user has logged into his VPS through VNC, cleaned it and wanted to get reconnected).

# virsh attach-interface --domain kvm1xx --type bridge --mac xx:xx:xx:xx:xx:xx --source br0
error: Failed to attach interface
error: internal error unable to execute QEMU command 'device_add': Duplicate ID 'net0' for device

Another thing is if the user clicks the Reboot button from within SolusVM, the network interface get recreated and he's back to business.

So what's your way of temporary blocking network access to KVM guests?

Comments

  • TazTaz Member

    Why not simply suspend the user? I don't see a reason for you to allow him back if he is being malicious.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    iptables -A FORWARD.... might work but unlikely.

    You could always just use ebtables?

    ebtables -A FORWARD -i INTERFACE_OF_KVM -j DROP

    Francisco

  • @Taz said: Why not simply suspend the user? I don't see a reason for you to allow him back if he is being malicious.

    Because sending spam can happen accidentally (user got hacked) or on purpose (user is a spammer). I want to provide the user a 24h option to access his VPS through VNC and fix it, in case he got hacked, during which time his network connection will be blocked (and will be re-enabled after verifying that his VPS is clean). If he doesn't respond to the ticket within 24h then he's most probably a spammer, and his service gets suspended.

  • @Francisco said: You could always just use ebtables?

    I thought an incompatibility between CentOS 6 x64 and ebtables was the reason IP Stealing & ARP Attack isn't working in the first place so I never tried it: http://www.lowendtalk.com/discussion/4024/solusvm-ebtables-ipv6-issues
    Will check it out, thanks :)

  • @George_Fusioned said: How do you usually handle cases where you need to block network access to a specific KVM guest if for example he's sending out spam? (provided you don't have access to networking equipment, but only to your node)

    @ErawanArifNugroho said: @miTgiB

    No idea, I use a router and block it there.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @George_Fusioned said: I thought an incompatibility between CentOS 6 x64 and ebtables was the reason IP Stealing & ARP

    Nope, just Solus' inability to code properly.

    Their iptheft stuff is pretty broken and IPV6 is 100% shot.

    It was one of the major bugs we had before we moved to stallion

    Fran

    Thanked by 1George_Fusioned
  • jarjar Patron Provider, Top Host, Veteran
    edited October 2012

    @Francisco Just imagine the extra income from licensing Stallion monthly.

    Just saying... ;)

    Maybe after a redesign?

  • TazTaz Member

    Don't build your hopes up. Francisco aint selling it.

  • Nick_ANick_A Member, Top Host, Host Rep

    @Francisco said: IPV6 is 100% shot.

    :sigh:

  • @Nick_A said: :sigh:

    @SimpleNode - let's blame SolusVM instead of Incero this time for no IPv6 :)

  • Nick_ANick_A Member, Top Host, Host Rep

    @concerto49 said: @SimpleNode - let's blame SolusVM instead of Incero this time for no IPv6 :)

    IPv6 is there with SolusVM but it's, well, :sigh:

    Thanked by 1George_Fusioned
  • jarjar Patron Provider, Top Host, Veteran

    @Taz Everything has a price ;)

  • TazTaz Member

    I doubt.

  • ebtables, allow his MAC only to use 127.0.0.1 and then block all other traffic from it.

    Thanked by 1George_Fusioned
  • @William said: ebtables, allow his MAC only to use 127.0.0.1 and then block all other traffic from it.

    Thanks I'll try that out :)

  • @Nick_A said: IPv6 is there with SolusVM but it's, well, :sigh:

    It's practically for IPv6 address "management" only atm. Guests have to be configured manually (ie no DHCPv6), no IP Stealing functionality... and I'm pretty sure this won't change for at least the next 6 months.

  • fileMEDIAfileMEDIA Member
    edited October 2012

    Yeah bad things, i talked with phil a few weeks ago and no ip stealing with ipv6 and dhcpv6 is planned. I hope onapp includes the new iso function very soon (v3), then i go with onapp.

  • @fileMEDIA said: Yeah bad things, i talked with phil a few weeks ago and no ip stealing with ipv6 and dhcpv6 is planned. I hope onapp includes the new iso function very soon (v3), then i go with onapp.

    Mind you that OnApp is now $500/month minimum.

  • @George_Fusioned said: Mind you that OnApp is now $500/month minimum.

    Not necessarily :)

  • No problem, each node 4 to 12 cores. We have lot´s of them, that´s than 500 per month.

  • @GetKVM_Ash said: Not necessarily :)

    You mean by using the Free version? Because otherwise:

    • The minimum deployment for the full version is one cloud (one controller server) and up to 40 hypervisor CPU cores, for $500 per month.

    Source: http://onapp.com/getonapp/

    @fileMEDIA said: No problem, each node 4 to 12 cores. We have lot´s of them, that´s than 500 per month.

    Well then no problem indeed :)

  • jhjh Member

    @George_Fusioned said: The minimum deployment for the full version is one cloud (one controller server) and up to 40 hypervisor CPU cores, for $500 per month.

    OnApp pricing is negotiable.

  • @jhadley said: OnApp pricing is negotiable.

    Nice to hear. To be honest I still have an option until the end of October for their old pricing ($100 per cloud + $10 per core / no minimum) since I got in touch with them before they announced their new pricing.
    Still considering it though.. :/

  • jhjh Member

    @George_Fusioned said: Still considering it though.. :/

    I think you can negotiate lower than that :P. Either way it's worth it - OnApp really is fantastic.

  • @jhadley said: I think you can negotiate lower than that :P. Either way it's worth it - OnApp really is fantastic.

    Yes you can, we have a good price, but the only thing is you need a different "cloud" for every location, and I'm not paying $100/mo + a $200/mo Server to host the CP on.

    I would rather re-invest the money I would spend on OnApp over a 2 year period into getting my own custom VPS panel made.

  • Nick_ANick_A Member, Top Host, Host Rep

    @George_Fusioned said: It's practically for IPv6 address "management" only atm. Guests have to be configured manually (ie no DHCPv6)

    Maybe I'm misunderstanding, but the most recent update has a network configuration button that actually does configure IPv6 on KVM guests.

  • @Taz said: I doubt.

    Well it's "true" to some extent. I'm sure if you paid enough you can buy the entire buyvm.

    But then yes, Fran might not want to sell even if offered a billion. Who knows.

Sign In or Register to comment.