<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Dear,<br>
<br>
and in combination of 4 products with big names and "Security
Offering" the host freeze under garanty!<br>
Everybody can have this!<br>
<br>
PVE-Firewall has block yesterday in this time of the attack complete
ALL traffic again, so that nothing was <br>
going on the host! We had 4 weeks as we have the situation, that we
must restart the host, about this <br>
problem! And yes, we have found before the problems in MySQL, but
before we see only small attacks!<br>
<br>
About that in an DoS-Attack, the PVE-FIREWALL block from one to
other second ALL traffic, we have <br>
written 4 weeks before a shell script they control the PVE-FIREWALL,
that they block all the traffic and when<br>
it´s so, that no traffic from host going out, then this script stop
automaticly the PVE-FIREWALL and <br>
send us every minute a warning mail! But in an attack stop the
pve-firewall is not a good workarround, but <br>
better as the total host with 500 clients hangs completly and must
reboot to get other stress with long time<br>
scan of filesystem and possible problems about kernel bugs and
something on! <br>
<br>
This situation can everybody have from an attack from ONLY ONE
DoS-Attacker! <br>
<br>
For a good combination, you need too plesk-servers in 11.5 or 12.0
many on your host and in plesk 12.x their<br>
is a firewall in, they eqal not filter a DoS/DDoS attack. Next
product is MySQL and about security lecks, they<br>
shut on in new versions the possiblity that everybody from outside
can connect to MySQL! Before<br>
in older version was bind to only local IP! And in same situation,
they dont log in default NOTHING<br>
to syslog or other logs! So to find attacks, you must activate the
logs, but you have not a chance to stop an attack,<br>
with this 3 nice security products! So about this you need the next
4th product to stop this:<br>
<br>
Ok, a very good idea to stop traffic with fail2ban! But in older
versions with Debian Squeeze, <br>
fail2ban cant handle the error log, why they had a bug in the python
scripts about the<br>
date in mysql error log! Only when you fix the python scripts, then
you can handle this DDoS and <br>
can stop with own scripts the DDoS for the server and with
blacklists in the host!<br>
<br>
I cant find something in the PVE-FIREWALL, that limit DoS-Attacks
with SYN-FLOOD! With fail2ban on many<br>
other protocols, example apache, we stop the traffic automaticly,
but with MySQL this going all something<br>
in underground, why never see this! Without a DoS, hackers can probe
thousend of hours, a admin never see<br>
this, why in the logs in default, their is nothing logged! <br>
<br>
Thats absolute dangerous, why every hoster, he has many containers
running many servers with<br>
MySQL can have with default or standard settings, a FREEZED HOST!<br>
<br>
I have something found, that will prevent the DoS/DDoS Attacks, but
I am not sure, how to intigrate<br>
in the ipFilters and thats enough or not:<br>
<br>
<pre class="bash" style="margin: 0px !important; padding: 0px 4px !important; border: none !important; font-size: 12px !important; vertical-align: baseline; overflow: visible !important; width: auto !important; line-height: 16px !important; color: rgb(85, 85, 85); font-family: monospace; clear: none !important; white-space: pre !important; -webkit-box-shadow: rgba(0, 0, 0, 0) 0px 0px 0px !important; box-shadow: rgba(0, 0, 0, 0) 0px 0px 0px !important; border-radius: 0px !important; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px; background: transparent !important;"><span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(194, 12, 185); font-weight: bold;">sudo</span> iptables <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align
: baseline; color: rgb(102, 0, 51);">-N</span> no-syn-flood
<span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(194, 12, 185); font-weight: bold;">sudo</span> iptables <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">-A</span> no-syn-flood <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">-m</span> limit <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">--limit</span> <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(0, 0, 0);">1</span><span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(0, 0, 0); font-weight: bold;">/</span>s <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">--limit-burst</span> <s
pan style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(0, 0, 0);">4</span> <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">-j</span> RETURN
<span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(194, 12, 185); font-weight: bold;">sudo</span> iptables <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">-A</span> no-syn-flood <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">-j</span> DROP
<span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(194, 12, 185); font-weight: bold;">sudo</span> iptables <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">-I</span> INPUT <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">-p</span> tcp <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">--syn</span> <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">-m</span> state <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">--state</span> NEW <span style="margin: 0px; padding: 0px; border: 0px; font-size: 12px; vertical-align: baseline; color: rgb(102, 0, 51);">-j</span> no-syn-flood</pre>
<br>
Regards <br>
<br>
Detlef<br>
<br>
<div class="moz-cite-prefix">Am 04.06.2015 um 01:54 schrieb Detlef
Bracker:<br>
</div>
<blockquote cite="mid:556F93BC.3010201@1awww.com" type="cite">
<pre wrap="">Dear,
is that a good Idea to prevent SYN FLOOD on Proxmox host with uncomment
#net.ipv4.tcp_syncookies=1
Or is their something other to prevent in the PVE-Firewall?
We had in 2 days 2 SYN FLOOD to MySQL-Servers on many Containers with
diferent destination
IPs and comes only from one IP! The OVH DDoS Mitigation stop many of
this traffic but not all!
Only with blacklisting of the IP we have stop. But how we can stop this
on other ways?
Regards
Detlef
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p>ACHTUNG: Ihr Anfragetext befindet sich unter unserem Absender!<br>
P.S. <a
href="http://blog.1awww.com/2012/05/30/achtung-internet-seiten-betreiber-eprivacy-richtlinien-umzusetzen/">ePrivacy
in Europa - lesen Sie mehr - read more</a> <br>
<br>
Mit freundlichen Gruessen<br>
1awww.com - Internet-Service-Provider<br>
<br>
Detlef Bracker<br>
<img src="cid:part2.09000806.00070600@1awww.com" border="0">
Velilla, Calle Club s/n, E 18690 Almunecar, Tel.: +34.6 343 232
61 * EU-VAT-ID: ESX4516542D<br>
<br>
<span style="color: #3366ff; font-size: xx-small;">This email
and any files transmitted are confidential and intended only
or the person(s) directly addressed. If you are not the
intended recipient, any use, copying, transmission,
distribution, or other forms of dissemination is strictly
prohibited. If you have received this email in error, please
notify the sender immediately and permanently delete this
email with any files that may be attached. <br>
<br>
Este correo electrónico y, en su caso, cualquier fichero anexo
al mismo, contiene información de carácter confidencial
exclusivamente dirigida a su destinatario o destinatarios.
Queda prohibida su divulgación, copia o distribución a
terceros sin la previa autorización escrita de Detlef Bracker.
En caso de no ser usted la persona a la que fuera dirigido
este mensaje y a pesar de ello está continúa leyéndolo,
ponemos en su conocimiento que está cometiendo un acto ilícito
en virtud de la legislación vigente en la actualidad, por lo
que deberá dejarlo de leer automáticamente.<br>
<br>
Detlef Bracker no es responsable de su integridad, exactitud,
o de lo que acontezca cuando el correo electrónico circula por
las infraestructuras de comunicaciones electrónicas públicas.
En el caso de haber recibido este correo electrónico por
error, se ruega notificar inmediatamente esta circunstancia
mediante reenvío a la dirección electrónica del remitente.<br>
<br>
El correo electrónico vía Internet no permite asegurar la
confidencialidad de los mensajes que se transmiten ni su
integridad o correcta recepción, por lo que Detlef Bracker no
asume ninguna responsabilidad que pueda derivarse de este
hecho.<br>
<br>
No imprima este correo si no es necesario. Ahorrar papel
protege el medio ambiente.</span></p>
</div>
</body>
</html>