You could install a cpu alart to be sent by email then you could trace it when you get onto the node.
You may be able to have a monitor and have it supended vm's if they use too much cpu but you will lickly have to code this yourself.
KVM anti abuse how do you counter abuse with kvm users?
- Thread starter sz1hosting
- Start date
You may be able to have a monitor and have it supended vm's if they use too much cpu but you will lickly have to code this yourself.
sz1hosting
New Member
Thanks though limiting cpu on a kvm would be something we could not do due too kvm being dedicated resources, thanks for the advice though, will look into this.
http://serverfault.com/questions/451792/how-to-limit-excessive-cpu-usage-from-guest-os-in-kvm
aka as each vm is a prossess use nice to limit cpu.
sz1hosting
New Member
Schultz
New Member
Probably best to tackle the problem at its root. Maxmind & Fraudrecord with WHMCS. If you're a larger provider you can also request an I.D card & bill in the persons name, then cross refference data - ofcourse all data stored and/or destroyed properly - a staff member dedicated to this can conduct all checks. You don't have to use the I.D/bill policy with all clients, but only for clients from high risk countries, or high risk patterns.
The next thing you could probably do is install scripts for I/O, CPU & BANDWIDTH abuse prevention.
This would filter out most of the abusive clients, even if they manage to pass through Maxmind, Fraudrecord & I.D/bill checking, they would have to deal with the abuse prevention scripts, if they can pass all that - they deserve to abuse your node.
The next thing you could probably do is install scripts for I/O, CPU & BANDWIDTH abuse prevention.
This would filter out most of the abusive clients, even if they manage to pass through Maxmind, Fraudrecord & I.D/bill checking, they would have to deal with the abuse prevention scripts, if they can pass all that - they deserve to abuse your node.
You can monitor most metrics with KVM. At the most basic you could just set up Observium and alerts which will monitor each domain and let you know the major things that cause issues. CPU/DISK IO/PORT usage can all be checked quite easily.
Ram usage can be monitored via some checking of IO and even disk usage can be checked (although this may cause privacy concerns).
Ram usage can be monitored via some checking of IO and even disk usage can be checked (although this may cause privacy concerns).
Last edited by a moderator:
What sort of abuse?
If you can define it, then you can measure it. If you can measure it, you can automate a response to it.
sz1hosting
New Member
Thanks guys 
Nice information as most know google is not really helping with this topic title when i search.
Nice information as most know google is not really helping with this topic title when i search.sz1hosting
New Member
Mainly cpu asbuse I/O as everything else i have covered.
DomainBop
Dormant VPSB Pathogen
Agreed that adding SSH keys for the purpose of snooping on users is completely unethical and a breach of privacy but some cloud platforms do add SSH keys so that the hypervisor can perform certain automated "cloud" functions..
OnApp adds SSH keys giving the user "onapp" (the hypervisor) the ability to control autoscaling, load balancing, and rebuild network features. The user can elect to remove the keys but then they lose the functionality of these features.
There's a huge difference though between adding an SSH key that allows a hypervisor to communicate with a VPS and perform autoscaling and load balancing and adding a SSH key for the sole purpose of snooping on a user.
From the onapp documentation:
sz1hosting
New Member
On the topic of virtualization optimization like OnApp does with the SSH key and such, newer versions of QEMU can be compiled to have a QEMU-agent that you run inside the virtualized guest (iirc there's a qemu-agent for Linux and Windows), which communicates using a virtual serial interface presented to the VM. I haven't done much playing with it, but I believe it acts in function sort of like the Virtualbox Guest Additions or the VMWare/Hyper-V equivalent. I'm not sure how you'd set it up with libvirt, but it's on my list of "when I'm bored" projects. I do know it needs to be enabled at compile time, and that you need to configure it when launching the VM.
sz1hosting
New Member
Thanks will look into that.
Look at getting an ids system in front of the nodes to scan the traffic for abuse same with mail filter, transparent filtering can be done with no loss of performance and no added latency no need to access the vps for any reason unless a client asks for help. To help with node load do not over allocate the resources, If a client is using more io or other resources than move to to a node with less clients on it. If it continues have them order a dedicated system and be done with it. We have some clients that have the vps at 105% cpu usage for long periods of time without causing issues with other vps or the host nodes because we don't over subscribe the resources.
sz1hosting
New Member
Kihi
New Member
Unfortunately there isn't anything out there for KVM that's very effective.
Personally, I would use:
CPU: cgroups
Bandwidth: tc (or using the .xml format within libvirt if you're running KVM non-bridged)
Anti-DDOS: bash scripts & iptables
Emails: iptables (again).
Sensors & Security: PM me and I'll tell ya.
Otherwise, I would recommend to dwell in some of the scripts that can find on github, it's immensely resourceful. Simply write a few and/or modify and run it through cron.
Personally, I would use:
CPU: cgroups
Bandwidth: tc (or using the .xml format within libvirt if you're running KVM non-bridged)
Anti-DDOS: bash scripts & iptables
Emails: iptables (again).
Sensors & Security: PM me and I'll tell ya.
Otherwise, I would recommend to dwell in some of the scripts that can find on github, it's immensely resourceful. Simply write a few and/or modify and run it through cron.
well, you can script output from virt-top, it is top like utility which uses libvirt as hipervisor access interface.
You can cap cpu on the fly with different toolstacks but nice can be 1st step, also you can limit (poorly but effective) excessive disk usage with ionice. Those are all basic tools which are really easy to script.
grep, iotop and ionice are tools that you should already know how to use
You can control port speed via TC and you will need some custom rules for iptables to count packets.
As I can see that you are big fan of virtualizor, you have half of those mechanisms already integrated into basic distribution.
You can cap cpu on the fly with different toolstacks but nice can be 1st step, also you can limit (poorly but effective) excessive disk usage with ionice. Those are all basic tools which are really easy to script.
grep, iotop and ionice are tools that you should already know how to use
You can control port speed via TC and you will need some custom rules for iptables to count packets.
As I can see that you are big fan of virtualizor, you have half of those mechanisms already integrated into basic distribution.
Last edited by a moderator:
SkillerzWeb
New Member
I am not really a kvm expert but all the things i can find to stop cpu abuse is
Cgroups, nice, which cap the cpu usage as each vps instance run as a process, Never tried these tho.
And if you wanna check the resource usage of each vps.. You can use virt-top which i used myself and works great if you wanna manually suspend heavy abusers.
-Thanks-
Cgroups, nice, which cap the cpu usage as each vps instance run as a process, Never tried these tho.
And if you wanna check the resource usage of each vps.. You can use virt-top which i used myself and works great if you wanna manually suspend heavy abusers.
-Thanks-