Protection from repetitive vulnerability scans

ken100 · 2016-01-18 20:34:33 UTC

Our VPS ran out of memory during a 20-minute vulnerability scan (generating thousands of error log entries) from a single IP address using OpenVAS. On an internal server under my control, it would be easy to block this kind of attack using fail2ban (I use fail2ban to block 100s to 1000s of hostile accesses daily – oddly, it seems like the bad guys mostly took last weekend off). I think that will be tough without sudo access, which, of course, recently went away…

The good folks at DreamHost say this is my problem, and have made it clear that they have no interest in preventing this kind of thing for a VPS. Has anyone else running a DreamHost VPS found reasonable solutions?

Thanks.

–Ken

ken100 · 2016-02-08 20:56:19 UTC

I’ll take that lack of replies after more than 180 views as a ‘no’ – no one else has a good solution. Once again our VPS ran out of memory during an OpenVAS scan. Since DreamHost doesn’t care, and the user community doesn’t know, I will need to find my own solution.

Sigh. I hate this kind of shopping.

FF_Skyrider · 2016-02-10 17:45:02 UTC

I don’t see why this is your problem while dreamhost clearly stated that the VPS’s are managed and thus their problem as well so to speak. And without sudo you are quite limited of what you can actually do about it. You can however, request temp sudo access so you can resolve your problem. But in the future, all sudo access will be perm removed. So you’d need to implement something now (once you regained sudo access) that you can manage without sudo in the future.

smaffulli · 2016-02-11 10:11:12 UTC

I would suggest you to file a support ticket and engage with Tech Support directly.

ken100 · 2016-02-11 20:54:36 UTC

Thanks for your concern. I started by filing a support ticket. The response was two-fold. It was my problem not theirs, but out of the goodness of their hearts they pointed me to an example of how I could block one particular IP address. Or any particular IP address, really, if I knew it in advance. 18 years ago, when the number of hostile actors connected to the internet was noticeably smaller, that might have been somewhat helpful. Not today.

Keep in mind, I know how to solve this problem on a server where I am root. But that solution would require occasional updates, and ‘temporary’ root access will not help.