amuck-landowner

KVM anti abuse how do you counter abuse with kvm users?

mtwiscool

New Member
We do not use colocrossing we use fdc servers - redstation - integria and for our usa location fiber hub las vegas.

We use anti fraud methods etc, i am basically looking for automated anti abuse for kvm, we can easly stop abuse and stop abuse fast within a few hours of it happening or faster. Abuse is not a problem but manul anti abuse is a lot more work than automated. eg: node watch
You could install a cpu alart to be sent by email then you could trace it when you get onto the node.

You may be able to have a monitor and have it supended vm's if they use too much cpu but you will lickly have to code this yourself.
 

sz1hosting

New Member
Thanks though limiting cpu on a kvm would be something we could not do due too kvm being dedicated resources, thanks for the advice though, will look into this.
 

Schultz

New Member
Probably best to tackle the problem at its root. Maxmind & Fraudrecord with WHMCS. If you're a larger provider you can also request an I.D card & bill in the persons name, then cross refference data - ofcourse all data stored and/or destroyed properly - a staff member dedicated to this can conduct all checks. You don't have to use the I.D/bill policy with all clients, but only for clients from high risk countries, or high risk patterns.

The next thing you could probably do is install scripts for I/O, CPU & BANDWIDTH abuse prevention.

This would filter out most of the abusive clients, even if they manage to pass through Maxmind, Fraudrecord & I.D/bill checking, they would have to deal with the abuse prevention scripts, if they can pass all that - they deserve to abuse your node.
 

Virtovo

New Member
Verified Provider
You can monitor most metrics with KVM.  At the most basic you could just set up Observium and alerts which will monitor each domain and let you know the major things that cause issues.  CPU/DISK IO/PORT usage can all be checked quite easily.

Ram usage can be monitored via some checking of IO and even disk usage can be checked (although this may cause privacy concerns).  
 
Last edited by a moderator:

datarealm

New Member
Verified Provider
We use anti fraud methods etc, i am basically looking for automated anti abuse for kvm, we can easly stop abuse and stop abuse fast within a few hours of it happening or faster. 
What sort of abuse?

If you can define it, then you can measure it.  If you can measure it, you can automate a response to it.
 

DomainBop

Dormant VPSB Pathogen
Aldryic's post is very relevant and true. If you condone adding SSH keys to your templates then you're not to be trusted at all.
Agreed that adding SSH keys for the purpose of snooping on users is completely unethical and a breach of privacy but some cloud platforms do add SSH keys so that the hypervisor can perform certain automated "cloud" functions..

OnApp adds SSH keys giving the user "onapp" (the hypervisor) the ability to control autoscaling, load balancing, and rebuild network features.  The user can elect to remove the keys but then they lose the functionality of these features. 

There's a huge difference though between adding an SSH key that allows a hypervisor to communicate with a VPS and perform autoscaling and load balancing and adding a SSH key for the sole purpose of snooping on a user.

From the onapp documentation:

OnApp requires direct access to your Hypervisors via SSH, from the user 'onapp' -
 

sz1hosting

New Member
Agreed that adding SSH keys for the purpose of snooping on users is completely unethical and a breach of privacy but some cloud platforms do add SSH keys so that the hypervisor can perform certain automated "cloud" functions..

OnApp adds SSH keys giving the user "onapp" (the hypervisor) the ability to control autoscaling, load balancing, and rebuild network features.  The user can elect to remove the keys but then they lose the functionality of these features. 

There's a huge difference though between adding an SSH key that allows a hypervisor to communicate with a VPS and perform autoscaling and load balancing and adding a SSH key for the sole purpose of snooping on a user.

From the onapp documentation:

Thanks for the feedback :)
 

Magiobiwan

Insert Witty Statement Here
Verified Provider
On the topic of virtualization optimization like OnApp does with the SSH key and such, newer versions of QEMU can be compiled to have a QEMU-agent that you run inside the virtualized guest (iirc there's a qemu-agent for Linux and Windows), which communicates using a virtual serial interface presented to the VM. I haven't done much playing with it, but I believe it acts in function sort of like the Virtualbox Guest Additions or the VMWare/Hyper-V equivalent. I'm not sure how you'd set it up with libvirt, but it's on my list of "when I'm bored" projects. I do know it needs to be enabled at compile time, and that you need to configure it when launching the VM. 
 

Enterprisevpssolutions

Article Submitter
Verified Provider
Look at getting an ids system in front of the nodes to scan the traffic for abuse same with mail filter, transparent filtering can be done with no loss of performance and no added latency no need to access the vps for any reason unless a client asks for help. To help with node load do not over allocate the resources, If a client is using more io or other resources than move to to a node with less clients on it. If it continues have them order a dedicated system and be done with it. We have some clients that have the vps at 105% cpu usage for long periods of time without causing issues with other vps or the host nodes because we don't over subscribe the resources.
 

sz1hosting

New Member
Look at getting an ids system in front of the nodes to scan the traffic for abuse same with mail filter, transparent filtering can be done with no loss of performance and no added latency no need to access the vps for any reason unless a client asks for help. To help with node load do not over allocate the resources, If a client is using more io or other resources than move to to a node with less clients on it. If it continues have them order a dedicated system and be done with it. We have some clients that have the vps at 105% cpu usage for long periods of time without causing issues with other vps or the host nodes because we don't over subscribe the resources.

Thanks for the feedback much appreciated :)
 

Kihi

New Member
Unfortunately there isn't anything out there for KVM that's very effective.

Personally, I would use:

CPU: cgroups

Bandwidth: tc (or using the .xml format within libvirt if you're running KVM non-bridged)

Anti-DDOS: bash scripts & iptables

Emails: iptables (again).

Sensors & Security: PM me and I'll tell ya.

Otherwise, I would recommend to dwell in some of the scripts that can find on github, it's immensely resourceful. Simply write a few and/or modify and run it through cron.
 

drserver

Member
Verified Provider
well, you can script output from virt-top, it is top like utility which uses libvirt as hipervisor access interface.

You can cap cpu on the fly with different toolstacks but nice can be 1st step, also you can limit (poorly but effective) excessive disk usage with ionice. Those are all basic tools which are really easy to script.

grep, iotop and ionice are tools that you should already know how to use

You can control port speed via TC and you will need some custom rules for iptables to count packets.

As I can see that you are big fan of virtualizor, you have half of those mechanisms already integrated into basic distribution.
 
Last edited by a moderator:

SkillerzWeb

New Member
I am not really a kvm expert but all the things i can find to stop cpu abuse is 

Cgroups, nice, which cap the cpu usage as each vps instance run as a process, Never tried these tho.

And if you wanna check the resource usage of each vps.. You can use virt-top which i used myself and works great if you wanna manually suspend heavy abusers.

-Thanks-
 
Top
amuck-landowner