Results 1 to 10 of 10
-
12-01-2022, 10:12 PM #1Newbie
- Join Date
- May 2019
- Posts
- 18
Secure OVH server from other OVH servers?
I've spent the past couple days setting up a server with OVH SYS, and I just learned that their firewall is bypassed by all other OVH servers: https://bitnrg.com/2017/07/26/ovh-su...ernal-servers/
With their network firewall having this glaring hole, that has been around for years, how would I secure against this? There was mention of using Windows Firewall to do that, but no clear instructions.
I need to keep a few ports open globally, such as HTTP and HTTPS, but I definitely need to secure my RDP and SSH ports. The server is running Windows 10 Server 2022 Standard.
-
12-04-2022, 09:04 AM #2WHT Addict
- Join Date
- Jan 2010
- Location
- United Kingdom
- Posts
- 151
It'll be difficult to block all OVH IPs seeing as some of them are vital for your server to even work (such as gateway IPs).
I would say the best solution would be to just block any incoming IPs that are clearly suspicious from HTTP access logs, RDP/SSH logs etc.
You can also consider changing the RDP/SSH ports from their defaults to different ones.██ EpicHosts.co.uk ¦¦ UK's #1 Hosting for ANYTHING!
██ Website Hosting - Dedicated machines - Linux & Windows VPS
██ Various Support Methods - Live Chat Available!
-
12-04-2022, 02:48 PM #3Newbie
- Join Date
- May 2019
- Posts
- 18
Yeah that's the problem. The way OVH has designed their network, if you want actual security (prevention, not reaction), you need to buy their more expensive brands. OVH Doesn't allow VRack to be used by KS/SYS/RISE servers.
From what others have said on the OVH reddit, it's obvious that the host shouldn't be used. This has been an issue for years, and still there's no proper firewall security. I'm waiting to hear back from their support to cancel the server and get a refund, but from what I've read, they don't do refunds.
It's appalling. As another user said, imagine Amazon whitelisting all traffic to your AWS server from every single other AWS server. It's insane.
-
12-04-2022, 05:00 PM #4The Linux Specialist
- Join Date
- Mar 2003
- Location
- /root
- Posts
- 23,991
Specially 4 U
Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx
-
12-04-2022, 05:37 PM #5Newbie
- Join Date
- May 2019
- Posts
- 18
I'd rather have a software firewall that picks up the remnants that get through the hardware firewall, rather than relying on the software firewall to do everything. Performance, vulnerability, accessibility, etc.
Also kinda hard to remote into a computer with the software firewall only allowing my old dynamic IP to remote into it, when I've been given a new one by my ISP.
-
12-04-2022, 07:23 PM #6The Linux Specialist
- Join Date
- Mar 2003
- Location
- /root
- Posts
- 23,991
Specially 4 U
Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx
-
12-05-2022, 05:08 AM #7Newbie
- Join Date
- May 2019
- Posts
- 18
So I'd have to get a VPN on top of a server that has a junk HW firewall, which will greatly increase the RDP latency, and costs a few quid on top to go with the cheapo ones. Because OVH hasn't got a proper HW firewall.
Is there a reason why OVH is badly designed like this? There was also the whole thing with IPs getting blacklisted, as they let a bunch of malicious servers operate on their network back in 2021. They're coming across as pretty cowboy.
-
12-05-2022, 09:52 AM #8Web Hosting Evangelist
- Join Date
- Jan 2012
- Posts
- 527
OVH is the only European/USA based cloud provider that I have COMPLETELY blocked on all my firewalls, servers, networks across all clients and business.
Their network is infested with bots, crawlers, viruses, hacking scripts, vulnerability scanners, spam, and more spam. I'm sick and tired of their incompetence, ignorance and refusal to clean their IP space.
Hetzner is coming up a close second to OVH, but they seem to be doing something about it, recent logs show a decrease in infections from their network.
Linode was pretty bad, but they made a huge effort a few years ago, blocked port 25 by default and removed infections with a heavy hand, so I'm pretty pleased with the results, my network firewalls show near zero infections from their network.My posts are better, because I'm not selling anything
- Not Cool - No Services Offered - Do Not Follow Instructions -
-
12-05-2022, 10:01 AM #9
Most dedicated servers don't come with a hardware firewall behind them unless that is an additional feature you are wanting / needing.
Personally I suggest if you are worried about it setup a software firewall and lock out per IP addresses or rate limit it. If you can do a VPN to have that static IP that should be perfect.
Great reason for Linux can do a lot more easy scripts to secure things. SSH Key and ideally limit IP's and you're golden. Windows always seemed to require a lot of extra work granted sure it's not as much work once you get better with it.⚡️ PUREVOLTAGE.COM ⚡️Custom Dedicated Servers, Colocation, VPS Contact us: sales@purevoltage.com Skype: Mobile.Jake
AMD EPYC 7443P RYZEN 7950X3D ⚡️ NVME 10G - 100Gbps We do it all!
★ New York City ★ Seattle ★ Los Angeles ★ Chicago ★ Dallas ★
-
12-05-2022, 11:08 AM #10Newbie
- Join Date
- May 2019
- Posts
- 18
At least with Hetzner, their support was on time, and their firewall actually works as it should. And their KVM allowed you to use ISOs from a url to install an OS, whereas OVH's KVM would just crash.
I wouldn't be surprised that OVH's unprofessional infrastructure lends itself to malicious actors.
A hardware firewall that is supplied with the server, should work as a firewall. OVH's firewall has a gaping security flaw and is absolutely nonsensical. And to have to use a VPN to cover for it, as well as relying on a software firewall to protect from their own servers????
Linux Is only good if you already know how every single thing works, and don't do anything with it. Otherwise, everything is gonna break and you're going to spend days looking for solutions to errors that never occur twice. Windows is where its at.
Similar Threads
-
Dedicated Server From HyperHost - reliable servers for you personal needs
By Hyper_H in forum Dedicated Hosting OffersReplies: 0Last Post: 12-16-2015, 06:51 AM -
how can i secure my server from Dns Attack ?
By tkanaco in forum Hosting Security and TechnologyReplies: 11Last Post: 06-23-2008, 02:48 PM -
Secure my server from DoS attacks
By albano in forum Systems Management RequestsReplies: 11Last Post: 04-15-2007, 09:36 PM -
accessing a video server from other server in a computer
By eramos in forum Hosting Security and TechnologyReplies: 1Last Post: 05-25-2005, 12:57 AM