So last night I got a mail from google-cloud-compliance that one of the VM instances have some critical problems and it will be suspended after 72 hours if the pattern is continued and appeal not filed. Below is the mail I received.
We have recently detected that your Google Cloud Project has been
performing intrusion attempts against a third-party and appears to be
violating our Terms of Service. Specifically, we detected port
scanning on remote port 22 originating from your Compute Engine
project targeting more than 4451 IP addresses between 2019-04-02 09:31
and 2019-04-02 09:55 (Pacific Time). Please check the traffic
originating from all your instances and fix any other instances that
may be impacted by this.
To access the VM via ssh you've to add your public key in the instance itself and A minimal Django project is deployed in the instance so I don't think it was due to both of these things. So my question is what caused it and how I can secure my VM instance.
I will strongly recommend you to delete your VM instance, as you cannot be completely sure about until what extent it has been compromised.
Once everything has been recreated again, you can take some measures to try to prevent this from happening again. As stated in the comments, I will use strong passwords and I will make sure that all the software you are using is properly updated and patched, especially Django.
Also, I would take a look to the firewall rules, using the least privilege best-practice. For example, you can make sure that only the IPs you are using to access your instance are allowed in port 22.
Finally, I would suggest you to take a look to this. It is a new Beta feature that allows you to detect “DDoS attacks originating inside your organization”. Besides you can check this best practices in order to harden SSH access. Especially remarkable among them is https://www.sshguard.net/ which is able to recognize patterns such as several login failures within a few seconds and then block the offending IP.
Related
I am looking for a basic thing yet I have not found not even a single good documentation on getting it done.
I want to allocate a floating IP, then associate it to a network interface of a droplet other than eth0.
The reason is I want to have the ability to very easily switch from one IP to the other with a programming language.
In a few words, I want to be able to do these two commands and both should provide a different response.
curl --interface eth0 https://icanhazip.com
curl --interface eth1 https://icanhazip.com
Also, I want to know what to do once I release the Floating IP, how do I roll back to the starting point.
All documentation I read, rely heavily on "ip route" and "route", most did not even work, some worked but replaced completely the old IP by the floating and that's not what I want, and also they did not show how to rollback the introduced configuration changes.
Please help, I spent 1 whole day now trying to get this to work for a project, and no results so far.
I guess there is no need to know DigitalOcean, how to make this work on other Cloud Providers would apply here too I think.
Update
After asking this on DigitalOcean community forum (https://www.digitalocean.com/community/questions/clear-guide-on-outbound-network-through-floating-ip), they claim that is not supported, although there may be some solutions to this if somebody can provide such a "hacky" solution I would take it too. Thanks
In the cloud (AWS. GCP etc.) ARP is emulated by the virtual network layer, meaning that only IPs assigned to VMs by the cloud platform can be resolved. Most of the L2 failover protocols do break for that reason. Even if ARP worked,the IP allocation process for these IPs (often called “floating IPs”) would not integrate with the virtual network in a standard way, so your OS can't just "grab" the IP using ARP and route the packets to itself.
I have not personally done this on Digital Ocean, but I assume that you can call the cloud's proprietary API to do this functionality if you would like to go this route.
See this link on GCP about floating IPs and their implementation. Hope this is helpful.
Here's an idea that needs to be tested:
Let's say you have Node1(10.1.1.1/24) and Node2(10.1.1.2/24)
Create a loopback interface on both VMs and set the same IP address for both like (10.2.1.1/32)
Start a heartbeat send/receive between them
When NodeA starts it automatically makes an API call to create a route for 10.2.1.1/32 and points to itself with preference 2
When NodeB starts it automatically makes an API call to create a route for 10.2.1.1/32 and points to itself with preference 1
The nodes could monitor each other to withdraw the static routes if the other fails. Ideally you would need a 3rd node to reach quorum and prevent split brain scenarios, but you get the idea right?
By reading documents on MSDN, I realized that it is recommended to create separate hosts by functionality (Sending hosts, Receiving hosts and Processing hosts). And if there is only one host in this bizTalk server, this host can perform all receiving, sending, and processing messages functionality.
My question is: Is it possible to have multiple hosts that each host can perform its own sending, receiving and processing function , and not affect each other?
This is for multiple developers working on the same project, because our current situation doesn't allow us to have a full set of SQL Server Database and SQL server for each developer or using VM.
Thanks a lot!
Multiple hosts is not a solution for letting multiple developers work on a single server. A single send/receive adapter can only be assigned to one host.
You will also run into other problems, as all the configuration settings are shared in a single database, a change from 1 developer will effect the others.
This same question was asked and answered at MSDN. What you are trying to do is not supported and will not work. There is no way around this.
You must deploy the same application code to each computer in a BizTalk Group.
Sharing a BizTalk computer for development work is not a workable or productive solution and will have a definite negative affect on productivity.
You are correct, the best way to handle DEV is a VM with the entire stack. This is the issue you must address in your environment.
I'm coding an extension for a customer, one of the requirements is that the extension also works offline because internet services are not that reliable, my customer's business can't stop but can deal with "stale" data, thats a nice tradeoff I guess.
Therefore, I want to code some kind of distributed cache as an extension to synchronize local data among the N nodes that will be connected running the same application and thus synchronize with the real database, hosted on the internet.
In order to achieve that I imagined that I would need to make a network broadcast and listen to incoming broadcasts, then every node that starts to run my application will broadcast it's IP address and become available as a new node for the distributed cache, failover is very important here.
I googled some possibilities I initially thought but none of them will work, I guess. The first was to do it just with HTTP, the second was to use Google Native Client to write C++ code that could run network code and thus do the broadcast, but it has limitations. Right now I'm thinking to use Java Applets but I don't really know if they have some limitations related to networking or if Chrome Extensions has any limitation with Java Applets.
Any ideas on how to do it? Using some of the stuff I suggested or another approach?
You could create an NPAPI extension, which would not be restricted by Chrome at all.
My church has a management software that we would like to have several people access at the same time but over the internet. We have a website but it is hosted by another company. Is it possible to create a hyperlink on our website to access this program on our office computer? The hyperlink would be setup so that it is not visible to those who don't have access to the program. We have tried several remote access program such as TeamView and Go2MyPC. These give access to the entire computer and that is not something we want either. If we can't do the hyperlink is it possible for us to turn this computer into a server and access it that way> Again the focus is for at least 5 people to be able to use this software at the same time should that need arise.
Our church management software is designed to be run on a network. We have already setup the user IDs and passwords for the group who currently have access to the it. The problem is that we only have one office computer and all of or group can't use it at one time because the each have access to different parts. I.e. Treasurer can only acces financial module, clerk can only access membership roster and so on. The goal is to find the path of least resistance that will allow as many of these people to access this software at the same time as possible remotely. I understand the security issues so to that I ask if anyone thinks we should get another computer to make into a server or turn this on we have into one.
Is there an advantage to hosting our own website on our machine where the management software is already located?
You actually have three different problems:
You are trying to use a "nonserver machine" as a server. I assume it doesn't have a static IP address; a static hyperlink will fail. Since you have a web site, you can set up your Management Software Server (for lack of a better name) to check in with your web site server, which will hold the latest IP address for your MSS. Your users can then check in with the web server and then connect to your MSS.
You are trying to keep most people out, but some people in. You need an authentication scheme. This usually means a login name and password, and a secure way to transmit it. SSL is probably what you want to look at. You'll need a SSL certificate (you can make your own), and a client program (web browsers work) that can make SSL connections.
You are trying to allow your users to do only some things, but not others. You need an authorization scheme. This is provided by the server application, such as the Windows Remote Desktop. Without knowing how much granularity you need, it's hard to say exactly what you need.
#bdares hit a bunch of your issues right on the head...
And then some... As a church, sounds of funding already ringing that they won't have that type of funding to handle... especially opening up a channel to the church management and possible accounting. Even if offering your own SSL certificate, getting hacked is getting easier and easier. If its a low budget operation with financial data readily easy for the taking, I'd hate to see a church (or any other legitimate non-profit organization) get messed up.
There are a lot of security issues to deal with and you can NOT take it lightly.
I'm making a network game (1v1) where in-game its p2p - no need for a game server.
However, for players to be able to "find each other", without the need to coordinate in another medium and enter IP addresses (similar to the modem days of network games), I need to have a coordination/matching server.
I can't use regular web hosting because:
The clients will communicate in UDP.
Therefore I'll need to do UDP Hole Punching to be able to go through the NAT
That would require the server to talk in UDP and know the client's IP and port
afaik with regular web hosting (php/etc) I can only get the client's IP address and can only communicate in TCP (HTTP).
Options I am currently considering:
Use a hosting solution where my program can accept UDP connection. (any recommendations?)
UDPonNAT seems to do this but uses GTalk and requires each client to have a GTalk account for this (which probably makes it an unsuitable solution)
Any ideas? Thanks :)
First, let me say that this is well out of my realm of expertise, but I found myself very interested, so I've been doing some searching and reading.
It seems that the most commonly prescribed solution for UDP NAT traversal is to use a STUN server. I did some quick searches to see if there are any companies that will just straight-up provide you with a STUN hosting solution, but if there even were any, they were buried in piles of ads for simple web hosting.
Fortunately, it seems there are several STUN servers that are already up and running and free for public use. There is a list of public STUN servers at voip-info.org.
In addition, there is plenty more information to be had if you explore SO questions tagged "nat".
I don't see any other choice than to have a dedicated server running your code. The other solutions you propose are, shall we say, less than optimal.
If you start small, virtual hosting will be fine. Costs are pretty minimal.
Rather than a full-blown dedicated server, you could just get a cheap shared hosting service and have the application interface with a PHP page, which in turn interfaces with a MySQL database backend.
For example, Lunarpages has a $3/month starter package that includes 5gb of space and 50gb of bandwidth. For something this simple, that's all you should need.
Then you just have your application poll the web page for the list of games, and submit a POST request in order to add their own game to the list.
Of course, this method requires learning PHP and MySQL if you don't already know them. And if you do it right, you can have the PHP page enter a sort of infinite loop to keep the connection open and just feed updates to the client, rather than polling the page every few seconds and wasting a lot of bandwidth. That's way outside the scope of this answer though.
Oh, and if you're looking for something absolutely free, search for a free PHP host. Those exist too! Even with an ad-supported host, your app could just grab the page and ignore the ads when you parse the list of games. I know that T35 used to be one of my favorites because their free plan doesn't track space or bandwidth (it limits the per-file size, to eliminate their service being used as a media share, but it shouldn't be a problem for PHP files). But of course, I think in the long run you'll be better off going with a paid host.
Edit: T35 also says "Free hosting allows 1 domain to be hosted, while paid offers unlimited domain hosting." So you can even just pay for a domain name and link it to them! I think in the short term, that's your best (cheapest) bet. Of course, this is all assuming you either know or are willing to learn PHP in order to make this happen. :)
There's nothing that every net connection will support. STUN is probably good, UPnP can work for this.
However, it's rumored that most firewalls can be enticed to pass almost anything through UDP port 53 (DNS). You might have to argue with the OS about your access to that port though.
Also, check out SIP, it's another protocol designed for this sort of thing. With the popularity of VOIP, there may be decent built-in support for this in more firewalls.
If you're really committed to UDP, you might also consider tunneling it over HTTP.
how about you break the problem into two parts - make a game matcher client (that is distinct from the game), which can communicate via http to your cheap/shared webhost. All gamers who wants to use the game matching function use this. THe game matcher client then launches the actual game with the correct parameters (IP, etc etc) after obtaining the info from your server.
The game will then use the standard way to UDP punch thru NAT, etc etc, as per your network code. The game dont actually need to know anything about the matcher client or matcher server - in the true sense of p2p (like torrents, once you can obtain your peer's IPs, you can even disconnect from the tracker).
That way, your problems become smaller.
An intermediate solution between hosting your own dedicated server and a strictly P2P networking environment is the gnutella model. In that model, there are superpeers that act like local servers, having known IP addresses and being connected to (and thus having knowledge of) more clients than a typical peer. This still requires you to run at least one superpeer yourself, but it gives you the option to let other people run their own superpeers.