DDOS Protection
Hey guys,
I'm looking for some advice on ddos protection, I recently purchased a vps from upcloud that worked great for my needs. I was running wordpress sites via webuzo, however, a hacker got in and uploaded script kiddies to all my hosted sites and used up over 6TB of bandwidth, which upcloud charged to my account. This was basically my first time dealing with a vps and I abused their support due to my lack of knowledge. Afterwards I installed a firewall and only opened the ports necessary for access to webuzo, 5 days later, hacked again. I decided to route everything through cloudflare however my sites began taking 3secs+ to load versus the -1sec without clourdflare. Bam, hacked again because I was using email on my server and this exposed my IP. Having decided to abandon upcloud, I purchased a plan with Cloudcone, the speed/load time is way slower but they offer ddos protection. My question is, will the ddos protection that cloudcone or any vps provider offer be enough to protect me from getting hacked again?
Comments
I would suggest a managed VPS or shared hosting.
Cloudcone said their vps packages are managed, hopefully this works out for me. Can you recommend a provider though?
You should identify how you're getting hacked. You said you were using email and it exposed the IP. How are the people "getting in" to your server? Are they getting your SSH password? Are they abusing an exploit in a script or Wordpress plugin? Do you know?
If not, check logs or see what port the traffic is originating from.
Getting DDoS'd isn't the same as getting hacked. It's not clear in your post what is happening, add more info?
You could get an unmanaged VPS and install CentminMod, that way it's easy to manage, has Wordpress options and is generally more secure.
I'm really not sure to be honest, I changed the ssh password from the default to a strong 128 key length. I mainly use wordpress plugins and themes from the free selection. Quite honestly I already deleted the vps instances I had over at upcloud but they did show in the logs that someone had connected via ssh from china I believe. It was a 12 hour attack as the bandwidth spiked within that time. I believe a managed vps may be the way to go for me. Shared hosting is just too slow during peak hours!
If someone connected to SSH then you probably have a weak password, but if it really is a managed VPS the provider should have secured it or given you steps to secure it. Even changing the SSH port will stop most of the scanners/bots and it takes a few seconds.
Some shared hosts are very good, you'd just need to look for higher limits on the plans since everyone uses CloudLinux with resource limits.
My first password was sorta weak but then I changed it to a much stronger password (128keys) and a new ip. Somehow the guy still got in
the vps was unmanaged so its no fault to upcloud. I do miss their service though, I was with Digital Ocean and Vultr before but they never gave me speed like upcloud. Cloudcone claims their vps servers are managed but I still went ahead and purchased a plan from mxroute for emails. Is there another way to hide my ip rather than cloudflare? I'm not sure why my site speed decreases with them. Or should I get a plan from bunnycdn and let it work together with cloudflare?
ah sorry, misread and thought a reply above was talking about your current one being managed. CloudFlare is the easiest way to hide everything (and remote mail since you bought an mxroute package) as long as you only have the single DNS entry needed for the website. Obviously if there's an exploit in a Wordpress plugin or something it won't matter anyways. Install Wordfence maybe.
hmm, didn't know that someone could access a server due to a wordpress installation. Thanks for the tip
But the OP said the hacker could ssh login, so it probably is not a wordpress installation issue.
I don't think mxroute will hide the IP of the sending server (unless we're talking about a different plan - I use them as an smtp relay so my log/alert etc. emails from different servers/VPS go to inbox rather than spam without having to mess about with SPF records).
@stephfd21 Did they get in via SSH each time you got hacked or was it just the first time? After the first hack did you reinstall everything from scratch or restore from a (possibly tainted) backup?
I'm definitely no expert which is why I suggested a managed VPS or shared hosting, a reputable host will know far more than you or I ever will about security/0-day and will hopefully keep their systems patched/updated.
@stephfd21, have you raised a ticket? let me have your ticket ID
Normal mxroute spoofs ip.
Amazon SES hides origin ip and costs 10ct/1000mails.
Hey guys, its not your service that's having the issue, it's upcloud's. Actually it's my fault for not securing my server. My main concern was the security of the server as its obvious that I can't manage it myself
I did install a backup of the files, hmm that may be why the 2nd hack took place...
I suggest you start with a fresh install on a fresh server, follow this instruction https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04.
It's important to add a new user to the server and disable root login. A few years back I ordered vps from a provider and went to bed before it was delivered. Came back the next morning and found over 40,000 root login attempts in the space of 6 hours!
Considering you said you don't have much experience running things, sign up with Runcloud and use that instead of cpanel.
Which security plugin were you using on the site?
I bought a yearly package with webuzo as it has a cpanel layout. I'll checkout runcloud now
which wordpress security plugin were you using?
Are you being hacked or attacked by ddos?
If you getting hacked, you should change your passwords,install waf firewall, search for suspicious files in your webserver, close unwanted open ports, if you use php disable php permissions that can be used to hack your server like exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,fopen, fsockopen etc...
But... if you getting ddosed try services like Sucuri CloudProxy or Cloudflare Under Attack Mode also make sure that your site can not be accessed directly (limiting only cloudflare or sucuri IP addresses), If it is a Layer4 ddos maybe you might want an OVH server or from any other mitigation provider(Psychz, Voxility, Corero ectera)
thanks for the help, I'll look into this
An organization should safe Guard their DNS Servers from DDoS attacks by implementing Name Server Protection.
this will prevent some legit stuff from working. Use with caution. I completely agree with disabling everything else mentioned though.
This is a completely offtopic comment, the issue is not DNS being attacked.
Keywords are words that are key to having words that are key by implementing keyboard entering mechanisms.