Results 1 to 10 of 10
  1. #1

    Secure OVH server from other OVH servers?

    I've spent the past couple days setting up a server with OVH SYS, and I just learned that their firewall is bypassed by all other OVH servers: https://bitnrg.com/2017/07/26/ovh-su...ernal-servers/

    With their network firewall having this glaring hole, that has been around for years, how would I secure against this? There was mention of using Windows Firewall to do that, but no clear instructions.

    I need to keep a few ports open globally, such as HTTP and HTTPS, but I definitely need to secure my RDP and SSH ports. The server is running Windows 10 Server 2022 Standard.

  2. #2
    Join Date
    Jan 2010
    Location
    United Kingdom
    Posts
    151
    It'll be difficult to block all OVH IPs seeing as some of them are vital for your server to even work (such as gateway IPs).

    I would say the best solution would be to just block any incoming IPs that are clearly suspicious from HTTP access logs, RDP/SSH logs etc.

    You can also consider changing the RDP/SSH ports from their defaults to different ones.
    EpicHosts.co.uk ¦¦ UK's #1 Hosting for ANYTHING!
    Website Hosting - Dedicated machines - Linux & Windows VPS
    █ Various Support Methods - Live Chat Available!

  3. #3
    Quote Originally Posted by Terrum View Post
    It'll be difficult to block all OVH IPs seeing as some of them are vital for your server to even work (such as gateway IPs).

    I would say the best solution would be to just block any incoming IPs that are clearly suspicious from HTTP access logs, RDP/SSH logs etc.

    You can also consider changing the RDP/SSH ports from their defaults to different ones.
    Yeah that's the problem. The way OVH has designed their network, if you want actual security (prevention, not reaction), you need to buy their more expensive brands. OVH Doesn't allow VRack to be used by KS/SYS/RISE servers.

    From what others have said on the OVH reddit, it's obvious that the host shouldn't be used. This has been an issue for years, and still there's no proper firewall security. I'm waiting to hear back from their support to cancel the server and get a refund, but from what I've read, they don't do refunds.

    It's appalling. As another user said, imagine Amazon whitelisting all traffic to your AWS server from every single other AWS server. It's insane.

  4. #4
    Join Date
    Mar 2003
    Location
    /root
    Posts
    23,991
    Quote Originally Posted by FiftyTifty View Post

    I need to keep a few ports open globally, such as HTTP and HTTPS, but I definitely need to secure my RDP and SSH ports. The server is running Windows 10 Server 2022 Standard.
    You can't install a software firewall?

    Specially 4 U
    Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
    JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
    Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx

  5. #5
    Quote Originally Posted by net View Post
    You can't install a software firewall?
    I'd rather have a software firewall that picks up the remnants that get through the hardware firewall, rather than relying on the software firewall to do everything. Performance, vulnerability, accessibility, etc.

    Also kinda hard to remote into a computer with the software firewall only allowing my old dynamic IP to remote into it, when I've been given a new one by my ISP.

  6. #6
    Join Date
    Mar 2003
    Location
    /root
    Posts
    23,991
    Quote Originally Posted by FiftyTifty View Post
    I'd rather have a software firewall that picks up the remnants that get through the hardware firewall, rather than relying on the software firewall to do everything. Performance, vulnerability, accessibility, etc.

    Also kinda hard to remote into a computer with the software firewall only allowing my old dynamic IP to remote into it, when I've been given a new one by my ISP.
    Maybe use VPN if you do not have static IP.

    You can also block those ports via hosts file or directly from ssh software, etc... Plenty of ways to do it

    Specially 4 U
    Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
    JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
    Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx

  7. #7
    Quote Originally Posted by net View Post
    Maybe use VPN if you do not have static IP.

    You can also block those ports via hosts file or directly from ssh software, etc... Plenty of ways to do it
    So I'd have to get a VPN on top of a server that has a junk HW firewall, which will greatly increase the RDP latency, and costs a few quid on top to go with the cheapo ones. Because OVH hasn't got a proper HW firewall.

    Is there a reason why OVH is badly designed like this? There was also the whole thing with IPs getting blacklisted, as they let a bunch of malicious servers operate on their network back in 2021. They're coming across as pretty cowboy.

  8. #8
    Join Date
    Jan 2012
    Posts
    527
    OVH is the only European/USA based cloud provider that I have COMPLETELY blocked on all my firewalls, servers, networks across all clients and business.

    Their network is infested with bots, crawlers, viruses, hacking scripts, vulnerability scanners, spam, and more spam. I'm sick and tired of their incompetence, ignorance and refusal to clean their IP space.

    Hetzner is coming up a close second to OVH, but they seem to be doing something about it, recent logs show a decrease in infections from their network.

    Linode was pretty bad, but they made a huge effort a few years ago, blocked port 25 by default and removed infections with a heavy hand, so I'm pretty pleased with the results, my network firewalls show near zero infections from their network.
    My posts are better, because I'm not selling anything

    - Not Cool - No Services Offered - Do Not Follow Instructions -

  9. #9
    Join Date
    Jul 2008
    Location
    Manhattan, NY Seattle,WA
    Posts
    4,184
    Most dedicated servers don't come with a hardware firewall behind them unless that is an additional feature you are wanting / needing.

    Personally I suggest if you are worried about it setup a software firewall and lock out per IP addresses or rate limit it. If you can do a VPN to have that static IP that should be perfect.
    Great reason for Linux can do a lot more easy scripts to secure things. SSH Key and ideally limit IP's and you're golden. Windows always seemed to require a lot of extra work granted sure it's not as much work once you get better with it.
    ⚡️ PUREVOLTAGE.COM ⚡️Custom Dedicated Servers, Colocation, VPS Contact us: sales@purevoltage.com Skype: Mobile.Jake
    AMD EPYC 7443P RYZEN 7950X3D ⚡️ NVME 10G - 100Gbps We do it all!

    New York City ★ Seattle ★ Los Angeles ★ Chicago ★ Dallas

  10. #10
    Quote Originally Posted by HostedInEarth View Post
    OVH is the only European/USA based cloud provider that I have COMPLETELY blocked on all my firewalls, servers, networks across all clients and business.

    Their network is infested with bots, crawlers, viruses, hacking scripts, vulnerability scanners, spam, and more spam. I'm sick and tired of their incompetence, ignorance and refusal to clean their IP space.

    Hetzner is coming up a close second to OVH, but they seem to be doing something about it, recent logs show a decrease in infections from their network.

    Linode was pretty bad, but they made a huge effort a few years ago, blocked port 25 by default and removed infections with a heavy hand, so I'm pretty pleased with the results, my network firewalls show near zero infections from their network.
    At least with Hetzner, their support was on time, and their firewall actually works as it should. And their KVM allowed you to use ISOs from a url to install an OS, whereas OVH's KVM would just crash.

    I wouldn't be surprised that OVH's unprofessional infrastructure lends itself to malicious actors.

    Quote Originally Posted by Purevoltage View Post
    Most dedicated servers don't come with a hardware firewall behind them unless that is an additional feature you are wanting / needing.

    Personally I suggest if you are worried about it setup a software firewall and lock out per IP addresses or rate limit it. If you can do a VPN to have that static IP that should be perfect.
    Great reason for Linux can do a lot more easy scripts to secure things. SSH Key and ideally limit IP's and you're golden. Windows always seemed to require a lot of extra work granted sure it's not as much work once you get better with it.
    A hardware firewall that is supplied with the server, should work as a firewall. OVH's firewall has a gaping security flaw and is absolutely nonsensical. And to have to use a VPN to cover for it, as well as relying on a software firewall to protect from their own servers????

    Linux Is only good if you already know how every single thing works, and don't do anything with it. Otherwise, everything is gonna break and you're going to spend days looking for solutions to errors that never occur twice. Windows is where its at.

Similar Threads

  1. Replies: 0
    Last Post: 12-16-2015, 06:51 AM
  2. how can i secure my server from Dns Attack ?
    By tkanaco in forum Hosting Security and Technology
    Replies: 11
    Last Post: 06-23-2008, 02:48 PM
  3. Secure my server from DoS attacks
    By albano in forum Systems Management Requests
    Replies: 11
    Last Post: 04-15-2007, 09:36 PM
  4. accessing a video server from other server in a computer
    By eramos in forum Hosting Security and Technology
    Replies: 1
    Last Post: 05-25-2005, 12:57 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •