Control Panel Firewall ( beta )

Use this forum if you have a relatively general question or comment about a game, Ventrilo, TeamSpeak, or Murmur/Mumble server with us. If you have a server-specific question that might not help out the community, please directly contact us through your control panel instead.
Post Reply
Hooligan
New to forums
New to forums
Posts: 8
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Mon Feb 17, 2014 10:15 am

Control Panel Firewall ( beta )

Post by Hooligan »

Question.


Is using the software firewall in a server control panel offered by NFO worth the effort configuring?

If there are multiple IP addresses on the box that my IP is nested, and NFO has it's own countermeasures in place already that will alert NFO to malicious activity on client IPs ( DDoS, ICMP floods, etc. as evidenced by some of the notes that are attached in the event log of control panels ), is it worth sitting there and doing a packet capture and then applying filtering rules?

It is close to impossible to have someone man a server control panel 24x7 for suspicious activity. As well, being mobile enough to send a support request to NFO within a small window of 3-5min of when an outage or server-wide performance impact is happening is also difficult. As is common knowledge, aggressor IP addresses can and do change rapidly, negating the filtering rules one may apply.

If you set basic rules like blocking UDP and TCP 80 traffic, or similar on your IP, but you are nested with other IPs, you can still be susceptible to performance hits if another IP on your box gets hit ( due to spanning the attack across the addresses in the box ), correct?


Short of being on the NFO side of the desk, having the ability to load balance, see connectivity logs for client IPs and when there are sudden, complete drops in connected client IPs, what kind of luck has anyone else out there had with firewall configuration? Is an IP crashing or dropping all players ( unrelated to Blaze or Plasma failures ) just a 'normal' part of providing a server for a gaming community? ::sad face::


Thanks!
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Control Panel Firewall ( beta )

Post by soja »

Depending on your use case, it is absolutely worth spending some time to "harden" your server.

I have IP whitelists set up for my management ports, and you could set them up for things like server rcon as well. This disables anyone from seeing the port open at all, much less try to brute force your application.

For example on a srcds based game server, blocking TCP to port 27015 will disable rcon(you can use things like sm_rcon in place of it). If you have an allow rule(whitelist) before the block rule, you can filter traffic so only you and your admins have rcon access too!

Personally I have had success filtering CS:S application based attacks in the range of 50-200Mb/s by filtering packet contents, meaning if they are using spoofed IPs the traffic is still blocked. It has been a LONG time since I have needed to do this. I have recently needed to block traffic that was hitting my web server, from about a dozen IPs. The total bandwidth from the attack was like 5Mb/s, and was not picked up by NFOs automatic filtering(it looked like normal HTTP traffic).

Technically you are susceptible to high-bandwidth attacks against other users on your machine, but NFO automatically filters attacks at their routers up to 20Gb/s in some locations, and attacks over that size are null-routed within seconds(hopefully) causing minimal impact. This is one of the many reasons NFO is #1 IMO.

It is up to you whether you think its worth it or not, but if you are ever a victim of a brute force, or someone gives your rcon password out, you will say "I wish I had my firewall whitelist set up" :D

If you need any help making firewall rules please ask :)
Not a NFO employee
Hooligan
New to forums
New to forums
Posts: 8
Joined: Mon Feb 17, 2014 10:15 am

Re: Control Panel Firewall ( beta )

Post by Hooligan »

Thanks for the response.


So, for a DICE / EA ( Plasma - Blaze backend also ) game server, are there ‘template, typical’ ports / services that can be blocked right away to redirect attacks?

Is using the packet capture tool beneficial given it captures a second worth of traffic; presumably you have to jump in there right as the issue is showing up.

Eliminating or reducing the impact of malicious activity will then allow determining what else could be causing the drops of clients on the IP.
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Control Panel Firewall ( beta )

Post by soja »

Unfortunately I don't own any BF4 servers, and I haven't done much research into hardening them. I think most attacks are targeted towards EA now, because if blaze goes down, it effects thousands of servers, over just one. Maybe John or someone else can let you know if there is anything proactive you can do on the firewall panel for a BF3/4 server.

As for the packet capture, it captures a 100 packet snapshot(I think) which should be enough in a high PPS attack to see a pattern in the traffic and attempt to block it, I have only used the packet capture after there is a already a problem, never to proactively find attacks.
Not a NFO employee
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Control Panel Firewall ( beta )

Post by Edge100x »

soja is right. The firewall tool is useful for hardening a VDS, and useful for blocking/banning individual IP addresses that our system might not be able to tell are malicious. Customers have also used it to react to attacks that are so small that our system doesn't tell they are attacks, and to apply filters that don't make sense for us to do at our router for performance reasons (rate-limiting, for instance).

You don't have to use it at all, of course. But it's there if you need it.
SERGIO9800
New to forums
New to forums
Posts: 8
Joined: Sat Apr 13, 2013 2:32 pm

Re: Control Panel Firewall ( beta )

Post by SERGIO9800 »

As it is called this firewall', is there any way that it can be adapted to a dedicated server started of NFO, since there are currently no firewall tab in the devoted ? And that this is in a web environment as well as this ?
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Control Panel Firewall ( beta )

Post by soja »

SERGIO9800 wrote:As it is called this firewall', is there any way that it can be adapted to a dedicated server started of NFO, since there are currently no firewall tab in the devoted ? And that this is in a web environment as well as this ?
You can manage your own firewall on an unmanaged dedicated server. As for managed, the feature was removed a while ago, but you can still filter for each server.
Not a NFO employee
SERGIO9800
New to forums
New to forums
Posts: 8
Joined: Sat Apr 13, 2013 2:32 pm

Re: Control Panel Firewall ( beta )

Post by SERGIO9800 »

But how do i implement as it is called this firewall?
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Control Panel Firewall ( beta )

Post by soja »

Depends on your OS, on linux use IP tables, Windows, use Windows Firewall.
Not a NFO employee
SERGIO9800
New to forums
New to forums
Posts: 8
Joined: Sat Apr 13, 2013 2:32 pm

Re: Control Panel Firewall ( beta )

Post by SERGIO9800 »

18:44:21.195243 IP 86.217.189.199.60510 > 104.153.107.155.9000: UDP, length 15
0x0000: 4504 002b 0138 0000 3011 a098 56d9 bdc7
0x0010: c05f 13ee ec5e 2328 0017 9686 5341 4d50
0x0020: 6c65 7a64 7768 7200 0000 006a cab5
18:44:21.195280 IP 119.86.127.81.60512 > 104.153.107.155.9000: UDP, length 15
0x0000: 4504 002b 109a 0000 3011 af2f 7756 7f51
0x0010: c05f 13ee ec60 2328 0017 b47d 5341 4d50
0x0020: 6c65 7a64 7768 7200 0000 00d9 22cb
18:44:21.195402 IP 144.72.71.63.28162 > 104.153.107.155.9000: UDP, length 11
0x0000: 4504 0027 f395 0000 2e11 ed57 9048 473f
0x0010: c05f 13ee 6e02 2328 0013 75f0 5341 4d50
0x0020: 6862 6570 6c73 7200 0000 44f5 18db
18:44:21.195569 IP 23.215.160.102.28156 > 104.153.107.155.9000: UDP, length 11
0x0000: 4504 0027 9398 0000 2e11 6c9f 17d7 a066
0x0010: c05f 13ee 6dfc 2328 0013 9540 5341 4d50
0x0020: 6862 6570 6c73 7200 0000 7319 5dee

Some idea of how to block this with iptables or something else ?
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Control Panel Firewall ( beta )

Post by soja »

You are using an unmanaged VDS, which means you have access to the firewall tab, you don't need to use an OS firewall to block traffic.

I don't see any pattern there, and the hosts for those IPs don't look malicious to me.

What kind of server are you running?
Not a NFO employee
SERGIO9800
New to forums
New to forums
Posts: 8
Joined: Sat Apr 13, 2013 2:32 pm

Re: Control Panel Firewall ( beta )

Post by SERGIO9800 »

I want to switch to dedicated servers of NFO, but as ahy there is no firewall tab, I want to know how block this type of content with iptables or some other firewall, before moving to a dedicated server!
Post Reply