# KVM anti abuse how do you counter abuse with kvm users?



## sz1hosting (Jun 24, 2014)

*Hello, i was wondering what other providers methods are for counter acting kvm abuse, we have the mail side of things sorted but other forms of abuse has to be checked manaully is there any kvm anti abuse scripts available? What do you do to stop abuse on kvm vps servers? Please provide any feedback you can and tips and information that is relevant to the title.*

*Thank you for reading and replying if you do!*


----------



## mtwiscool (Jun 24, 2014)

You will have to install some ssh keys and have it show prossess via ssh.

then use the ssh to remove abusive prosseses.


----------



## sz1hosting (Jun 24, 2014)

Is there not any scripts etc like nodewatch for kvm? Any other tips or any links please would be appreciated.


----------



## mtwiscool (Jun 24, 2014)

sz1hosting said:


> Is there not any scripts etc like nodewatch for kvm? Any other tips or any links please would be appreciated.


kvm is a virtulised as openvz is not so you do not have access to the prosses unless you get vps access witch the most common way is to add ssh keys to your templates then have to track via ssh  .


----------



## Aldryic C'boas (Jun 24, 2014)

mtwiscool said:


> kvm is a virtulised as openvz is not so you do not have access to the prosses unless you get vps access witch the most common way is to add ssh keys to your templates then have to track via ssh  .


And this right here is why NOBODY will ever take you seriously.  What you've just described is dishonest, unethical, and a massive violation of privacy.


----------



## mtwiscool (Jun 24, 2014)

Aldryic C said:


> And this right here is why NOBODY will ever take you seriously.  What you've just described is dishonest, unethical, and a massive violation of privacy.


And everyone thinks you are a asshole.

What i discribed is a vary common meathed to check vps's.

It's called anti-abuse and i would be more sceaed if my provider did not check what the users are using as they could abuse the node and slow down other vps's aka if you want privicty get a dedicated server.


----------



## MartinD (Jun 24, 2014)

Again, Matthew, you fail to spell check your posts or read over the text before you post.

You've also just called another forum user an 'asshole'. I've called out others for treating you poorly and I'll do the same to you despite you crying wolf in PM.

Aldryic's post is very relevant and true. If you condone adding SSH keys to your templates then you're not to be trusted at all.


----------



## mtwiscool (Jun 24, 2014)

MartinD said:


> Again, Matthew, you fail to spell check your posts or read over the text before you post.
> 
> You've also just called another forum user an 'asshole'. I've called out others for treating you poorly and I'll do the same to you despite you crying wolf in PM.
> 
> Aldryic's post is very relevant and true. If you condone adding SSH keys to your templates then you're not to be trusted at all.


It is how you solve the issue and why i would never offer kvm or xen vps's.

You should look at your vps's for ssh keys as you will lickly find extra one's from you provider.

Even ovh used to do this with dedicated servers.


----------



## MartinD (Jun 24, 2014)

It's not how you solve the issue at all, that's entirely misleading and dangerous.


----------



## mtwiscool (Jun 24, 2014)

MartinD said:


> It's not how you solve the issue at all, that's entirely misleading and dangerous.


can you please share your suggstion?


----------



## sz1hosting (Jun 24, 2014)

We keep any eye on banwidth and we use our own mail relay service too, and everything is else is manual we do not go into peoples kvm's with out there permission or there for sure would be a storm or cancellations heading our way, thanks for the feedback guys and thanks for trying @VPS Enthusiast your method can be done would need the terms to be changed and would cause a lot of problems, we can catch abuse no problem the thing is we have to do it manually ( without entering the kvm without permission ) so manual is the only way or?


----------



## MartinD (Jun 24, 2014)

mtwiscool said:


> can you please share your suggstion?


I have a suggestion, no idea what a suggstion is though:

1) Don't take on shit clients.

2) Don't take on shit clients.

3) Suspend shit clients if they abuse your KVM node.

4) Get rid of shit clients.


----------



## mtwiscool (Jun 24, 2014)

sz1hosting said:


> We keep any eye on banwidth and we use our own mail relay service too, and everything is else is manual we do not go into peoples kvm's with out there permission or there for sure would be a storm or cancellations heading our way, thanks for the feedback guys and thanks for trying @VPS Enthusiast your method can be done would need the terms to be changed and would cause a lot of problems, we can catch abuse no problem the thing is we have to do it manually ( without entering the kvm without permission ) so manual is the only way or?


plus whmc based anti-fraud, stopforumspam api checks(as people buy bots) and extra questons or extra id for high risk countries.


----------



## Aldryic C'boas (Jun 24, 2014)

Yes, I _AM_ an asshole.  Why is it taking you so long to understand that calling me such is a simple truth, and not insulting in the slightest?

Tell you what - why don't you start posting on all of the forums you scam at, and tell people that you load your templates with RSA keys so that you can go snooping at your discretion.  I would _LOVE_ to see the fallout from that.

You're not a provider.  You're not even a 'free host'.  You're just a kid with absolutely no understanding of how things work;  no desire to actually learn anything beyond your twisted and grossly inaccurate assumptions; and honestly probably no capacity to learn even if you wanted to.  I can almost bring myself to feel pity for the poor saps that trust you enough to use your 'services'.


----------



## mtwiscool (Jun 24, 2014)

Aldryic C said:


> Yes, I _AM_ an asshole.  Why is it taking you so long to understand that calling me such is a simple truth, and not insulting in the slightest?
> 
> Tell you what - why don't you start posting on all of the forums you scam at, and tell people that you load your templates with RSA keys so that you can go snooping at your discretion.  I would _LOVE_ to see the fallout from that.
> 
> You're not a provider.  You're not even a 'free host'.  You're just a kid with absolutely no understanding of how things work;  no desire to actually learn anything beyond your twisted and grossly inaccurate assumptions; and honestly probably no capacity to learn even if you wanted to.  I can almost bring myself to feel pity for the poor saps that trust you enough to use your 'services'.


Sorry for calling you an asshole i'm a bit streesed with school.

we do not run kvm based vm only openvz so no need for rsa.

We only go into a vm if we spot abuse in the node's prosses.

I do own a free vps service and 2 free shared hosts and 1 free domain website.

I support my users fully and even sometimes install and config programs for them.

I unlike freevps.us allow gameservers as i have no sponsers to make angry as i use a rented node allowing me full freedom to offer what i like.

I love running hosts, it is a fun thing to run as you get to meet people making new things all the time.

We do not scam anyone.


----------



## trewq (Jun 24, 2014)

mtwiscool said:


> We only go into a vm if we spot abuse in the node's prosses.


Are you saying you enter VMs without permission?


----------



## sz1hosting (Jun 24, 2014)

If anyone has some relevant information auto anti abuse in any ways possible please feel free to add that information or links.


----------



## NilsX1337 (Jun 24, 2014)

MaxMind    Use ColoCrossing, they know how to fix it.


----------



## mtwiscool (Jun 24, 2014)

sz1hosting said:


> If anyone has some relevant information auto anti abuse in any ways possible please feel free to add that information or links.


It depends how much your users are worth.

Ofcuase phoning the users up before activation might help but would be hard to imperment.

I would suggest you drop all connections to your website from hosting providers and vpn providers to help ease abuse.


----------



## sz1hosting (Jun 24, 2014)

NilsX1337 said:


> MaxMind    Use ColoCrossing, they know how to fix it.



We do not use colocrossing we use fdc servers - redstation - integria and for our usa location fiber hub las vegas.



mtwiscool said:


> It depends how much your users are worth.
> 
> Ofcuase phoning the users up before activation might help but would be hard to imperment.
> 
> I would suggest you drop all connections to your website from hosting providers and vpn providers to help ease abuse.



We use anti fraud methods etc, i am basically looking for automated anti abuse for kvm, we can easly stop abuse and stop abuse fast within a few hours of it happening or faster. Abuse is not a problem but manul anti abuse is a lot more work than automated. eg: node watch


----------



## mtwiscool (Jun 24, 2014)

sz1hosting said:


> We do not use colocrossing we use fdc servers - redstation - integria and for our usa location fiber hub las vegas.
> 
> We use anti fraud methods etc, i am basically looking for automated anti abuse for kvm, we can easly stop abuse and stop abuse fast within a few hours of it happening or faster. Abuse is not a problem but manul anti abuse is a lot more work than automated. eg: node watch


You could install a cpu alart to be sent by email then you could trace it when you get onto the node.

You may be able to have a monitor and have it supended vm's if they use too much cpu but you will lickly have to code this yourself.


----------



## sz1hosting (Jun 24, 2014)

Thanks though limiting cpu on a kvm would be something we could not do due too kvm being dedicated resources, thanks for the advice though, will look into this.


----------



## mtwiscool (Jun 24, 2014)

sz1hosting said:


> Thanks though limiting cpu on a kvm would be something we could not do due too kvm being dedicated resources, thanks for the advice though, will look into this.


http://serverfault.com/questions/451792/how-to-limit-excessive-cpu-usage-from-guest-os-in-kvm

aka as each vm is a prossess use nice to limit cpu.


----------



## sz1hosting (Jun 24, 2014)

mtwiscool said:


> http://serverfault.com/questions/451792/how-to-limit-excessive-cpu-usage-from-guest-os-in-kvm
> 
> aka as each vm is a prossess use nice to limit cpu.



Thanks will look into this


----------



## Schultz (Jun 24, 2014)

Probably best to tackle the problem at its root. Maxmind & Fraudrecord with WHMCS. If you're a larger provider you can also request an I.D card & bill in the persons name, then cross refference data - ofcourse all data stored and/or destroyed properly - a staff member dedicated to this can conduct all checks. You don't have to use the I.D/bill policy with *all* clients, but only for clients from high risk countries, or high risk patterns.

The next thing you could probably do is install scripts for I/O, CPU & BANDWIDTH abuse prevention.

This would filter out most of the abusive clients, even if they manage to pass through Maxmind, Fraudrecord & I.D/bill checking, they would have to deal with the abuse prevention scripts, if they can pass all that - they deserve to abuse your node.


----------



## Virtovo (Jun 24, 2014)

You can monitor most metrics with KVM.  At the most basic you could just set up Observium and alerts which will monitor each domain and let you know the major things that cause issues.  CPU/DISK IO/PORT usage can all be checked quite easily.

Ram usage can be monitored via some checking of IO and even disk usage can be checked (although this may cause privacy concerns).


----------



## datarealm (Jun 24, 2014)

sz1hosting said:


> We use anti fraud methods etc, i am basically looking for automated anti abuse for kvm, we can easly stop abuse and stop abuse fast within a few hours of it happening or faster.


What sort of abuse?

If you can define it, then you can measure it.  If you can measure it, you can automate a response to it.


----------



## sz1hosting (Jun 24, 2014)

Thanks guys   Nice information as most know google is not really helping with this topic title when i search.


----------



## sz1hosting (Jun 24, 2014)

datarealm said:


> What sort of abuse?
> 
> If you can define it, then you can measure it.  If you can measure it, you can automate a response to it.



Mainly cpu asbuse I/O as everything else i have covered.


----------



## DomainBop (Jun 24, 2014)

MartinD said:


> Aldryic's post is very relevant and true. If you condone adding SSH keys to your templates then you're not to be trusted at all.


Agreed that adding SSH keys for the purpose of snooping on users is completely unethical and a breach of privacy but some cloud platforms do add SSH keys so that the hypervisor can perform certain automated "cloud" functions..

OnApp adds SSH keys giving the user "onapp" (the hypervisor) the ability to control autoscaling, load balancing, and rebuild network features.  The user can elect to remove the keys but then they lose the functionality of these features. 

There's a huge difference though between adding an SSH key that allows a hypervisor to communicate with a VPS and perform autoscaling and load balancing and adding a SSH key for the sole purpose of snooping on a user.

From the onapp documentation:



> OnApp requires direct access to your Hypervisors via SSH, from the user 'onapp' -


----------



## sz1hosting (Jun 24, 2014)

DomainBop said:


> Agreed that adding SSH keys for the purpose of snooping on users is completely unethical and a breach of privacy but some cloud platforms do add SSH keys so that the hypervisor can perform certain automated "cloud" functions..
> 
> OnApp adds SSH keys giving the user "onapp" (the hypervisor) the ability to control autoscaling, load balancing, and rebuild network features.  The user can elect to remove the keys but then they lose the functionality of these features.
> 
> ...



Thanks for the feedback


----------



## Magiobiwan (Jun 24, 2014)

On the topic of virtualization optimization like OnApp does with the SSH key and such, newer versions of QEMU can be compiled to have a QEMU-agent that you run inside the virtualized guest (iirc there's a qemu-agent for Linux and Windows), which communicates using a virtual serial interface presented to the VM. I haven't done much playing with it, but I believe it acts in function sort of like the Virtualbox Guest Additions or the VMWare/Hyper-V equivalent. I'm not sure how you'd set it up with libvirt, but it's on my list of "when I'm bored" projects. I do know it needs to be enabled at compile time, and that you need to configure it when launching the VM.


----------



## tchen (Jun 24, 2014)

cgroups cpuacct not a workable solution?


----------



## sz1hosting (Jun 25, 2014)

tchen said:


> cgroups cpuacct not a workable solution?



Thanks will look into that.


----------



## Enterprisevpssolutions (Jun 25, 2014)

Look at getting an ids system in front of the nodes to scan the traffic for abuse same with mail filter, transparent filtering can be done with no loss of performance and no added latency no need to access the vps for any reason unless a client asks for help. To help with node load do not over allocate the resources, If a client is using more io or other resources than move to to a node with less clients on it. If it continues have them order a dedicated system and be done with it. We have some clients that have the vps at 105% cpu usage for long periods of time without causing issues with other vps or the host nodes because we don't over subscribe the resources.


----------



## sz1hosting (Jun 25, 2014)

Enterprisevpssolutions said:


> Look at getting an ids system in front of the nodes to scan the traffic for abuse same with mail filter, transparent filtering can be done with no loss of performance and no added latency no need to access the vps for any reason unless a client asks for help. To help with node load do not over allocate the resources, If a client is using more io or other resources than move to to a node with less clients on it. If it continues have them order a dedicated system and be done with it. We have some clients that have the vps at 105% cpu usage for long periods of time without causing issues with other vps or the host nodes because we don't over subscribe the resources.



Thanks for the feedback much appreciated


----------



## Kihi (Aug 12, 2014)

Unfortunately there isn't anything out there for KVM that's very effective.

Personally, I would use:

*CPU*: cgroups

*Bandwidth*: tc (or using the .xml format within libvirt if you're running KVM non-bridged)

*Anti-DDOS: *bash scripts & iptables

*Emails: *iptables (again).

*Sensors & Security: *PM me and I'll tell ya.

Otherwise, I would recommend to dwell in some of the scripts that can find on github, it's immensely resourceful. Simply write a few and/or modify and run it through cron.


----------



## drserver (Aug 13, 2014)

well, you can script output from virt-top, it is top like utility which uses libvirt as hipervisor access interface.

You can cap cpu on the fly with different toolstacks but nice can be 1st step, also you can limit (poorly but effective) excessive disk usage with ionice. Those are all basic tools which are really easy to script.

grep, iotop and ionice are tools that you should already know how to use

You can control port speed via TC and you will need some custom rules for iptables to count packets.

As I can see that you are big fan of virtualizor, you have half of those mechanisms already integrated into basic distribution.


----------



## SkillerzWeb (Aug 13, 2014)

I am not really a kvm expert but all the things i can find to stop cpu abuse is 

Cgroups, nice, which cap the cpu usage as each vps instance run as a process, Never tried these tho.

And if you wanna check the resource usage of each vps.. You can use virt-top which i used myself and works great if you wanna manually suspend heavy abusers.

-Thanks-


----------

