Säkra upp vCenter 5.5 från att delta i NTP DDOS attacker


På förekommen anledning vill vi påminna kunder som använder VMWare med vCenter att säkra upp sina installationer.

vCenter 5.5 har detta problem av någon anledning när äldre vCenter 5.1 och 5.0 inte har det.
För att säkra upp vCenter, aktivera SSH på vCenter appliancen (borde vara igång per default).
Logga in med ssh och root-användaren.

Följ dessa steg:

  1. vi /etc/ntp.conf
  2. Flytta kursören med piltangenterna till raden som innehåller “driftfile /var/lib/ntp/drift/ntp.drift”
  3. Tryck ‘i’  för att gå in i redigeringsläge med vi.
  4. Skriv “disable monitor” följt av Enterknapp.
  5. Tryck ‘ESC’ för att gå ur redigeringsläge.
  6. Skriv ‘:wq’ för att spara filen och avsluta vi.
  7. I kommandoraden skriv ’service ntp restart’ för att starta om ntp-tjänsten.


OpenVZ IPv6 tunnelbroker HE setup

Adminor provides native IPv6, but if you’d like to setup an IPv6 tunnel you can still do so.

Crossposted from http://www.cybermilitia.net/2013/07/22/ipv6-tunnel-on-openvz/

You can get IPv6 connectivity using a tunnel, if you don’t have native IPv6 support.
Doing this is pretty straightforward if you have a dedicated server or a KVM VPS.

However, with an OpenVZ VPS, things are a little different.

Here’s how you can get IPv6 working on a OpenVZ VPS with a tunnel – Tutorial for Debian (tested on wheezy).

  1. Create a tunnel at tunnelbroker.net
    Hurricane Electric allows creation of up to 5 free IPv6 tunnels @ tunnelbroker.net.
    Create one for your VPS.
  2. Enable TUN/TAP on your VPS.
    It should normally be possible to do this through your control panel (e.g., SolusVM).
    If not, a support ticket with your provider should get it done fairly quickly.
    Be advised that toggling this option forces a reboot. So plan accordingly.
  3. tb-tun
    tb-tun is a userspace program that utilizes TUN/TAP to build a tunnelbroker tunnel on linux.
    Since we can’t do it any other way on a OpenVZ VPS.

    apt-get install iproute gcc
    cd /root
    wget http://tb-tun.googlecode.com/files/tb-tun_r18.tar.gz
    tar -xf tb-tun_r18.tar.gz
    gcc tb_userspace.c -l pthread -o tb_userspace
  4. Create a new init script
    nano /etc/init.d/ipv6tb

    and put in the following contents (after replacing the correct IP addresses, of course)
    Remember, for the tunnel, your VPS IP is the client and the Hurricane Electric IP is the server.

    #! /bin/sh
    # Provides:          ipv6
    # Required-Start:    $local_fs $all
    # Required-Stop:     $local_fs $network
    # Default-Start:     2 3 4 5
    # Default-Stop:      0 1 6
    # Short-Description: starts the ipv6 tunnel
    # Description:       ipv6 tunnel start-stop-daemon
    # /etc/init.d/ipv6tb
    touch /var/lock/ipv6tb
    case "$1" in
        echo "Starting ipv6tb "
          setsid /root/tb_userspace tb [Server IPv4 Address] [Client IPv4 Address] sit > /dev/null 2>&1 &
          sleep 3s #ugly, but doesn't seem to work at startup otherwise
          ifconfig tb up
          ifconfig tb inet6 add [Client IPv6 Address]/64
          ifconfig tb inet6 add [Routed /64]::1/64 #Add as many of these as you need from your routed /64 allocation
          ifconfig tb mtu 1480
          route -A inet6 add ::/0 dev tb
          route -A inet6 del ::/0 dev venet0
        echo "Stopping ipv6tb"
          ifconfig tb down
          route -A inet6 del ::/0 dev tb
          killall tb_userspace
        echo "Usage: /etc/init.d/ipv6tb {start|stop}"
        exit 1
    exit 0

    Make it executable, and add it to startup –

    chmod 0755 /etc/init.d/ipv6tb
    update-rc.d ipv6tb defaults
  5. Execute it right away –
    /etc/init.d/ipv6tb start

    OR simply reboot.

    Test to confirm that IPv6 connectivity is working

    ping6 -c 5 google.com