How to find abusers?

Comments

• amsaal Member

  April 2022 edited April 2022

  due to what kind of abuse? which type of attacks are we speaking?

  Most vps providers wont help if its unmanaged. if you are saying someone else abusing the resources which affects the other nodes/vps then in this case go for KVM VPS, all resources will be dedicated to you just the speed will be shared but it prevents what you said CPU load etc.

  Choosing a provider is some thing you have to select and the requirement you want from the VPS.

  I assume your on the OpenVZ virtualization VPS so having KVM is advantages over openVZ.

  Talking about monitoring , you can find under the kvm-node monitor stats URL if your provider has a tools for it. otherwise you can opt for 3rd party tools to monitor it.
• jar Patron Provider, Top Host, Veteran

  April 2022 edited April 2022

  It can range from being as simple as observing the output of "top" to as complex as evaluating an strace. More would need to be known about your stack and it's configuration to make a deeper assumption.

  Thanked by 1Erisa
• desperand Member

  April 2022 edited April 2022

  @SuperXP said:
  Due to the abuse of others, the server is vulnerable to attack, we will pay extra for broadband every month, and the load of CPU is also unbearable for customers. Need to constantly monitor the performance of your VPS, how can you do this?

  • firewall
  • different ports
  • CrowdSec
  • Virtualization & isolation
  • Separation
  • strict ACL policy
  • write management procedures, who is responsible for what
  • practice and experience
  • reading specific resources like OWASP, different blogs, and security researches news, reddits, LET (yea, let damn pretty extremely useful resource with a lot of nice content here).
  • updates

  I mean all mentioned above - pretty hard to properly configure and achieve, just need to start from something and grow experience.

  What about monitoring, depends on your case and scenario, there are many monitoring tools with triggers and notifications

  Without additional information impossible to tell what exactly needs to do.
• SuperXP Member

  April 2022

  @desperand said:

  @SuperXP said:
  Due to the abuse of others, the server is vulnerable to attack, we will pay extra for broadband every month, and the load of CPU is also unbearable for customers. Need to constantly monitor the performance of your VPS, how can you do this?

  • firewall
  • different ports
  • CrowdSec
  • Virtualization & isolation
  • Separation
  • strict ACL policy
  • write management procedures, who is responsible for what
  • practice and experience
  • reading specific resources like OWASP, different blogs, and security researches news, reddits, LET (yea, let damn pretty extremely useful resource with a lot of nice content here).
  • updates

  I mean all mentioned above - pretty hard to properly configure and achieve, just need to start from something and grow experience.

  What about monitoring, depends on your case and scenario, there are many monitoring tools with triggers and notifications

  Without additional information impossible to tell what exactly needs to do.

  Very good suggestion, thanks for your answer.

  Thanked by 1mehargags
• cybertech Member

  April 2022

  look in their garden
• SuperXP Member

  April 2022

  @amsaal said:
  due to what kind of abuse? which type of attacks are we speaking?

  Most vps providers wont help if its unmanaged. if you are saying someone else abusing the resources which affects the other nodes/vps then in this case go for KVM VPS, all resources will be dedicated to you just the speed will be shared but it prevents what you said CPU load etc.

  Choosing a provider is some thing you have to select and the requirement you want from the VPS.

  I assume your on the OpenVZ virtualization VPS so having KVM is advantages over openVZ.

  Talking about monitoring , you can find under the kvm-node monitor stats URL if your provider has a tools for it. otherwise you can opt for 3rd party tools to monitor it.

  This can be solved with InfluxDB and Grafana, I'm already implementing the plan, thank you.
• darb Member

  April 2022 edited April 2022

  You are a provider, or a subcriber to a third party?

  If the former, it all starts with verification of user information when they subscribe and a comprehensive acceptable use policy. Allowing crypto just invites abuse IMHO.

  @SuperXP said:
  Due to the abuse of others, the server is vulnerable to attack, we will pay extra for broadband every month, and the load of CPU is also unbearable for customers. Need to constantly monitor the performance of your VPS, how can you do this?
• yoursunny Member, IPv6 Advocate

  April 2022

  Publish a list of abusers.
  Ask Santa Claus to put them on the naughty list if they don't change their behavior.

  Example

  If you see your IP address below, please stop hiding in the shadows and attacking my website.
  Come out and let's duel at dawn.

  sunny@vps4:/var/log/caddy$ zcat yoursunny2017-2022-03-13T12-50-55.713.log.gz | jq -r 'select(.request.uri | startswith("/wp-")) | .request.remote_addr' | awk '{ gsub(/:[^:]*$/,""); print $0 }' | sort | uniq -c | sort -nk1 | tail
        5 20.127.123.100
        5 27.116.61.100
        5 52.149.4.204
        8 159.242.234.117
       12 45.201.198.232
       12 47.241.1.242
       12 8.214.3.99
       26 2.56.56.192
       32 [2001:41d0:303:ac05::]
       34 68.183.95.191
  
• darb Member

  April 2022

  If you are an enduser; I highly reccomend CSF firewall and if you are running on php then CIDRAM: Classless Inter-Domain Routing Access Manager.
• Void Member

  April 2022

  @SuperXP said:

  @desperand said:

  @SuperXP said:
  Due to the abuse of others, the server is vulnerable to attack, we will pay extra for broadband every month, and the load of CPU is also unbearable for customers. Need to constantly monitor the performance of your VPS, how can you do this?

  • firewall
  • different ports
  • CrowdSec
  • Virtualization & isolation
  • Separation
  • strict ACL policy
  • write management procedures, who is responsible for what
  • practice and experience
  • reading specific resources like OWASP, different blogs, and security researches news, reddits, LET (yea, let damn pretty extremely useful resource with a lot of nice content here).
  • updates

  I mean all mentioned above - pretty hard to properly configure and achieve, just need to start from something and grow experience.

  What about monitoring, depends on your case and scenario, there are many monitoring tools with triggers and notifications

  Without additional information impossible to tell what exactly needs to do.

  Very good suggestion, thanks for your answer.

  Setup an IDS/IPS solution along with firewall or use a NextGen Firewall if your budget permits.
• stefeman Member

  April 2022

  @yoursunny said:
  Publish a list of abusers.
  Ask Santa Claus to put them on the naughty list if they don't change their behavior.

  Example

  If you see your IP address below, please stop hiding in the shadows and attacking my website.
  Come out and let's duel at dawn.

  sunny@vps4:/var/log/caddy$ zcat yoursunny2017-2022-03-13T12-50-55.713.log.gz | jq -r 'select(.request.uri | startswith("/wp-")) | .request.remote_addr' | awk '{ gsub(/:[^:]*$/,""); print $0 }' | sort | uniq -c | sort -nk1 | tail
        5 20.127.123.100
        5 27.116.61.100
        5 52.149.4.204
        8 159.242.234.117
       12 45.201.198.232
       12 47.241.1.242
       12 8.214.3.99
       26 2.56.56.192
       32 [2001:41d0:303:ac05::]
       34 68.183.95.191
  

  

  Thanked by 2yoursunny taizi