DDOS Protection

DDOS Protection

stephfd21stephfd21 Member

Hey guys, I'm looking for some advice on ddos protection, I recently purchased a vps from upcloud that worked great for my needs. I was running wordpress sites via webuzo, however, a hacker got in and uploaded script kiddies to all my hosted sites and used up over 6TB of bandwidth, which upcloud charged to my account. This was basically my first time dealing with a vps and I abused their support due to my lack of knowledge. Afterwards I installed a firewall and only opened the ports necessary for access to webuzo, 5 days later, hacked again. I decided to route everything through cloudflare however my sites began taking 3secs+ to load versus the -1sec without clourdflare. Bam, hacked again because I was using email on my server and this exposed my IP. Having decided to abandon upcloud, I purchased a plan with Cloudcone, the speed/load time is way slower but they offer ddos protection. My question is, will the ddos protection that cloudcone or any vps provider offer be enough to protect me from getting hacked again?

Comments

  • kaktus69kaktus69 Member

    I would suggest a managed VPS or shared hosting.

    Thanked by 1FHR
  • Cloudcone said their vps packages are managed, hopefully this works out for me. Can you recommend a provider though?

  • MikeAMikeA Member, Provider
    edited June 13

    You should identify how you're getting hacked. You said you were using email and it exposed the IP. How are the people "getting in" to your server? Are they getting your SSH password? Are they abusing an exploit in a script or Wordpress plugin? Do you know?
    If not, check logs or see what port the traffic is originating from.

    Getting DDoS'd isn't the same as getting hacked. It's not clear in your post what is happening, add more info?

    You could get an unmanaged VPS and install CentminMod, that way it's easy to manage, has Wordpress options and is generally more secure.

    ExtraVM DDoS Protected VPS

    Thanked by 1Quinten
  • I'm really not sure to be honest, I changed the ssh password from the default to a strong 128 key length. I mainly use wordpress plugins and themes from the free selection. Quite honestly I already deleted the vps instances I had over at upcloud but they did show in the logs that someone had connected via ssh from china I believe. It was a 12 hour attack as the bandwidth spiked within that time. I believe a managed vps may be the way to go for me. Shared hosting is just too slow during peak hours!

  • MikeAMikeA Member, Provider

    If someone connected to SSH then you probably have a weak password, but if it really is a managed VPS the provider should have secured it or given you steps to secure it. Even changing the SSH port will stop most of the scanners/bots and it takes a few seconds.

    Some shared hosts are very good, you'd just need to look for higher limits on the plans since everyone uses CloudLinux with resource limits.

    ExtraVM DDoS Protected VPS

  • My first password was sorta weak but then I changed it to a much stronger password (128keys) and a new ip. Somehow the guy still got in :/ the vps was unmanaged so its no fault to upcloud. I do miss their service though, I was with Digital Ocean and Vultr before but they never gave me speed like upcloud. Cloudcone claims their vps servers are managed but I still went ahead and purchased a plan from mxroute for emails. Is there another way to hide my ip rather than cloudflare? I'm not sure why my site speed decreases with them. Or should I get a plan from bunnycdn and let it work together with cloudflare?

  • MikeAMikeA Member, Provider
    edited June 13

    @stephfd21 said: My first password was sorta weak but then I changed it to a much stronger password (128keys) and a new ip. Somehow the guy still got in :/ the vps was unmanaged so its no fault to upcloud. I do miss their service though, I was with Digital Ocean and Vultr before but they never gave me speed like upcloud. Cloudcone claims their vps servers are managed but I still went ahead and purchased a plan from mxroute for emails. Is there another way to hide my ip rather than cloudflare? I'm not sure why my site speed decreases with them. Or should I get a plan from bunnycdn and let it work together with cloudflare?

    ah sorry, misread and thought a reply above was talking about your current one being managed. CloudFlare is the easiest way to hide everything (and remote mail since you bought an mxroute package) as long as you only have the single DNS entry needed for the website. Obviously if there's an exploit in a Wordpress plugin or something it won't matter anyways. Install Wordfence maybe.

    ExtraVM DDoS Protected VPS

  • hmm, didn't know that someone could access a server due to a wordpress installation. Thanks for the tip

  • But the OP said the hacker could ssh login, so it probably is not a wordpress installation issue.

  • kaktus69kaktus69 Member

    I don't think mxroute will hide the IP of the sending server (unless we're talking about a different plan - I use them as an smtp relay so my log/alert etc. emails from different servers/VPS go to inbox rather than spam without having to mess about with SPF records).

    @stephfd21 Did they get in via SSH each time you got hacked or was it just the first time? After the first hack did you reinstall everything from scratch or restore from a (possibly tainted) backup?

    I'm definitely no expert which is why I suggested a managed VPS or shared hosting, a reputable host will know far more than you or I ever will about security/0-day and will hopefully keep their systems patched/updated.

  • CloudconeCloudcone Member, Provider

    @stephfd21, have you raised a ticket? let me have your ticket ID

  • tr1ckytr1cky Member

    @kaktus69 said: I don't think mxroute will hide the IP of the sending server (unless we're talking about a different plan - I use them as an smtp relay so my log/alert etc. emails from different servers/VPS go to inbox rather than spam without having to mess about with SPF records).

    @stephfd21 Did they get in via SSH each time you got hacked or was it just the first time? After the first hack did you reinstall everything from scratch or restore from a (possibly tainted) backup?

    I'm definitely no expert which is why I suggested a managed VPS or shared hosting, a reputable host will know far more than you or I ever will about security/0-day and will hopefully keep their systems patched/updated.

    Normal mxroute spoofs ip.

    Amazon SES hides origin ip and costs 10ct/1000mails.

    tsdns.io - free, redundant, DDoS-protected TSDNS

  • @Cloudcone said: @stephfd21, have you raised a ticket? let me have your ticket ID

    Hey guys, its not your service that's having the issue, it's upcloud's. Actually it's my fault for not securing my server. My main concern was the security of the server as its obvious that I can't manage it myself

  • @kaktus69 said: I don't think mxroute will hide the IP of the sending server (unless we're talking about a different plan - I use them as an smtp relay so my log/alert etc. emails from different servers/VPS go to inbox rather than spam without having to mess about with SPF records).

    @stephfd21 Did they get in via SSH each time you got hacked or was it just the first time? After the first hack did you reinstall everything from scratch or restore from a (possibly tainted) backup?

    I'm definitely no expert which is why I suggested a managed VPS or shared hosting, a reputable host will know far more than you or I ever will about security/0-day and will hopefully keep their systems patched/updated.

    I did install a backup of the files, hmm that may be why the 2nd hack took place...

  • @stephfd21 said:

    @Cloudcone said: @stephfd21, have you raised a ticket? let me have your ticket ID

    Hey guys, its not your service that's having the issue, it's upcloud's. Actually it's my fault for not securing my server. My main concern was the security of the server as its obvious that I can't manage it myself

    I suggest you start with a fresh install on a fresh server, follow this instruction https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04. It's important to add a new user to the server and disable root login. A few years back I ordered vps from a provider and went to bed before it was delivered. Came back the next morning and found over 40,000 root login attempts in the space of 6 hours!

    Considering you said you don't have much experience running things, sign up with Runcloud and use that instead of cpanel.

    Which security plugin were you using on the site?

  • I bought a yearly package with webuzo as it has a cpanel layout. I'll checkout runcloud now

  • which wordpress security plugin were you using?

  • joojajooja Member

    @stephfd21 said: Hey guys, I'm looking for some advice on ddos protection, I recently purchased a vps from upcloud that worked great for my needs. I was running wordpress sites via webuzo, however, a hacker got in and uploaded script kiddies to all my hosted sites and used up over 6TB of bandwidth, which upcloud charged to my account. This was basically my first time dealing with a vps and I abused their support due to my lack of knowledge. Afterwards I installed a firewall and only opened the ports necessary for access to webuzo, 5 days later, hacked again. I decided to route everything through cloudflare however my sites began taking 3secs+ to load versus the -1sec without clourdflare. Bam, hacked again because I was using email on my server and this exposed my IP. Having decided to abandon upcloud, I purchased a plan with Cloudcone, the speed/load time is way slower but they offer ddos protection. My question is, will the ddos protection that cloudcone or any vps provider offer be enough to protect me from getting hacked again?

    Are you being hacked or attacked by ddos?

    If you getting hacked, you should change your passwords,install waf firewall, search for suspicious files in your webserver, close unwanted open ports, if you use php disable php permissions that can be used to hack your server like exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,fopen, fsockopen etc...

    But... if you getting ddosed try services like Sucuri CloudProxy or Cloudflare Under Attack Mode also make sure that your site can not be accessed directly (limiting only cloudflare or sucuri IP addresses), If it is a Layer4 ddos maybe you might want an OVH server or from any other mitigation provider(Psychz, Voxility, Corero ectera)

  • thanks for the help, I'll look into this

  • An organization should safe Guard their DNS Servers from DDoS attacks by implementing Name Server Protection.

  • FHRFHR Member, Provider
    edited June 15

    jooja said: curl_exec,curl_multi_exec,fopen

    this will prevent some legit stuff from working. Use with caution. I completely agree with disabling everything else mentioned though.

    @webwerksDC said: An organization should safe Guard their DNS Servers from DDoS attacks by implementing Name Server Protection.

    This is a completely offtopic comment, the issue is not DNS being attacked.

    Affordable Semi-Dedicated VPS - Enjoy the performance to the fullest extent. | 40% OFF promo

  • caracalcaracal Member

    @webwerksDC said: An organization should safe Guard their DNS Servers from DDoS attacks by implementing Name Server Protection.

    Keywords are words that are key to having words that are key by implementing keyboard entering mechanisms.

Sign In or Register to comment.