Learn about Centmin Mod LEMP Stack today
Become a Member

OVH OVH dedicated servers

Discussion in 'Dedicated server hosting' started by eva2000, Jun 12, 2014.

  1. Jimmy

    Jimmy Well-Known Member

    1,707
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +923
    Local Time:
    1:40 AM
    1.17.x
    MariaDB 10.3.x
    You have to move the entire block. Option to move is only in the options for the block and not the individual ips in that block. If you ordered a single ip, you can move that single IP. Also, you can move IPs from the VPS to Dedi if you want.

    Is the addips.sh available or is just something you're testing?
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:40 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Thanks for that info. Guess next time I'd order a smaller block if I only need to move some ips.
    just something I am testing for myself right now :)
     
  3. Jimmy

    Jimmy Well-Known Member

    1,707
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +923
    Local Time:
    1:40 AM
    1.17.x
    MariaDB 10.3.x
    I get the OVH monitoring waring all the time on my cPanel VPS. So I guess we should add the csfpre.sh example to stop that warning on servers with CMM and multiple IPs?
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:40 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Yup.. strange i don't get it at all with my OVH MC-32 server after each test centos OS reload and fresh centmin mod install. Only started getting the email warnings right after adding additional ips.
     
  5. rdan

    rdan Well-Known Member

    5,008
    1,208
    113
    May 25, 2014
    Ratings:
    +1,834
    Local Time:
    2:40 PM
    Mainline
    10.2
    I don't use extra IP Eva :}.
     
  6. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:40 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    i see

    strange it's still happening for me, the alert was last sent ~40 minutes ago! hmmm
     
  7. Jimmy

    Jimmy Well-Known Member

    1,707
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +923
    Local Time:
    1:40 AM
    1.17.x
    MariaDB 10.3.x
    I get those warning when I restart my server. Not sure why OVH would be checking any of the FO IPs... only the main IP of the server.

    Since my server takes so long to restart it issues me a fault email every time I reboot.

    I was thinking about just turning off the monitoring.
     
  8. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:40 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    ah seems monitoring OVH system has other ips to whitelist as /var/log/messages shows ICMP_IN ping blocked entries for ip 92.222.185.1
    Code (Text):
    curl ipinfo.io/92.222.185.1
    {
      "ip": "92.222.185.1",
      "hostname": "netmon-1-sbg.ovh.net",
      "city": "Paris",
      "region": "Île-de-France",
      "country": "FR",
      "loc": "48.8628,2.3292",
      "org": "AS16276 OVH SAS",
      "postal": "75001"
    }
    


    What are the IP addresses of the OVH monitoring ? | OVH Docs more sources to whitelist

    So /etc/csf/csf.conf UDP_IN/UDP_OUT ports need adding 6100:6200
    Code (Text):
    # Allow incoming UDP ports
    UDP_IN = "67,68,1110,33434:33534,20,21,53,6100:6200"
    
    # Allow outgoing UDP ports
    # To allow outgoing traceroute add 33434:33523 to this list
    UDP_OUT = "67,68,1110,33434:33534,20,21,53,113,123,6100:6200"
    


    And in /etc/csf/csfpre.sh replace IP.250 and IP.249 with your specific ip so if ip = aaa.bbb.ccc.ddd use aaa.bbb.ccc.250 and only for OVH HG server products add aaa.bbb.ccc.249 and full iptables list becomes
    Code (Text):
    #!/bin/bash
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.sbg.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.bhs.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-rbx-100 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-sbg-100 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-gra-100 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-bhs-100 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-rbx-101 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-rbx-102 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-rbx-103 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-gra-101 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source a2.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.184.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.185.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.186.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 167.11.37.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.250 -j ACCEPT # IP = aaa.bbb.ccc according to the previous rule
    /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.249 -j ACCEPT # temporary, only for HG server
    


    make executable and restart CSF Firewalll
    Code (Text):
    chmod +x /etc/csf/csfpre.sh
    csf -r
    


    though restarting CSF Firewall gets an errror
    Code (Text):
    Command:[/bin/sh /etc/csf/csfpre.sh]
    Error:[iptables v1.4.21: host/network `mrtg-bhs-100' not found]
    You should check through the main output carefully
    

    if i comment out that one
    Code (Text):
    #/sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-bhs-100 -j ACCEPT
    

    and restart CSF Firewall, then restarts without errors

    then there's more at Firewall — OVH Documentation 0.0.1 documentation which has overlap with hostname based mrtg allowed and outlined at What are the IP addresses of the OVH monitoring ? | OVH Docs instead teh ip is used in later documentation !

    so this evolves into merging various OVH documentation to a /etc/csf/csfpre.sh file consisting of below contents - replace IP.250 and IP.249 with your specific ip so if ip = aaa.bbb.ccc.ddd use aaa.bbb.ccc.250 and only for OVH HG server products add aaa.bbb.ccc.249 and full iptables list becomes
    Code (Text):
    #!/bin/bash
    # http://docs.ovh.ca/en/guides-network-firewall.html
    # https://docs.ovh.com/gb/en/cloud/dedicated/monitoring-ip-ovh/
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.sbg.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.bhs.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.244 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.245 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.246 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.247 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 37.187.231.251 -j ACCEPT # Monitoring
    /sbin/iptables -A INPUT -i eth0 -p icmp --source a2.ovh.net -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.184.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.185.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.186.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source 167.114.37.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.250 -j ACCEPT # IP = aaa.bbb.ccc according to the previous rule
    /sbin/iptables -A INPUT -i eth0 -p icmp --source IP.249 -j ACCEPT # temporary, only for HG server
    


    looks like there maybe other undocumented OVH ips to whitelist as the OVH documentation is all over the place !
    Check CSF Firewall blocked ping/icmp entries in /var/log/messages with grep/awk filter and print current date at end to compare with entry times, last blocked ICMP ping entry was ~ 38 mins ago
    Code (Text):
    grep -i 'ICMP_IN Blocked' /var/log/messages| tail -5| awk '{print $1,$2,$3,$5,$6,$7,$8,$9,$12,$13,$19,$20}'; date
    Apr 18 18:30:03 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.110 DF PROTO=ICMP
    Apr 18 18:30:06 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.112 DF PROTO=ICMP
    Apr 18 18:30:07 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.117 DF PROTO=ICMP
    Apr 18 18:30:09 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.118 DF PROTO=ICMP
    Apr 18 18:53:17 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.116 DF PROTO=ICMP
    Tue Apr 18 19:31:57 UTC 2017
    

    OVH docs don't mention 167.114.37.1 so what is it ? it's a netmon for OVH BHS!
    Code (Text):
    curl ipinfo.io/167.114.37.1
    {
      "ip": "167.114.37.1",
      "hostname": "netmon-1-bhs.ovh.ca",
      "city": "Montreal",
      "region": "Quebec",
      "country": "CA",
      "loc": "45.5040,-73.5747",
      "org": "AS16276 OVH SAS",
      "postal": "h3a 1k2"
    }
    

    looks like OVH docs have a typo as 167.11.37.0/24 range doesn't belong to OVH it's probably meant to be 167.114.37.0/24
    Code (Text):
     curl ipinfo.io/167.11.37.1
    {
      "ip": "167.11.37.1",
      "hostname": "No Hostname",
      "city": "Hull",
      "region": "Quebec",
      "country": "CA",
      "loc": "45.4207,-75.7023",
      "postal": "k1a 0g4"
    }
    
     
    Last edited: Apr 19, 2017
  9. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:40 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    mine is on BHS too but see my previous post i updated, seems other OVH guides changed source from hostname to ip based which covers BHS from What are the IP addresses of the OVH monitoring ? | OVH Docs

    notice all mrtg-xxx-100 for sbg, gra and bhs use same ip 37.187.231.251
    Code (Text):
    mrtg-rbx-100    37.187.231.251    icmp
    mrtg-sbg-100    37.187.231.251    icmp
    mrtg-gra-100    37.187.231.251    icmp
    mrtg-bhs-100    37.187.231.251    icmp
    mrtg-rbx-101    151.80.231.244    icmp
    mrtg-rbx-102    151.80.231.245    icmp
    mrtg-rbx-103    151.80.231.246    icmp
    mrtg-gra-101    151.80.231.247    icmp
    a2.ovh.net    213.186.33.62    icmp
         92.222.184.0/24    icmp
         92.222.185.0/24    icmp
         92.222.186.0/24    icmp
         167.11.37.0/24    icmp
    proxy.p19.ovh.net    213.186.45.4    icmp
    proxy.rbx.ovh.net    213.251.184.9    icmp
    proxy.sbg.ovh.net    37.59.0.235    icmp
    proxy.bhs.ovh.net    8.33.137.2    icmp
    ping.ovh.net    213.186.33.13    icmp
    proxy.ovh.net    213.186.50.98    icmp
         xxx.xxx.xxx.250 (xxx.xxx.xxx.aaa is the server ip)    icmp
         xxx.xxx.xxx.251 (xxx.xxx.xxx.aaa is the server ip)    icmp + Port monitored by the monitoring service
     
  10. Jimmy

    Jimmy Well-Known Member

    1,707
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +923
    Local Time:
    1:40 AM
    1.17.x
    MariaDB 10.3.x
    I deleted my post because I was getting the error. I failed to run the sh. :(
     
  11. Jimmy

    Jimmy Well-Known Member

    1,707
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +923
    Local Time:
    1:40 AM
    1.17.x
    MariaDB 10.3.x
    Glad you found this... great info @eva2000! (y)
     
  12. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:40 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    hmm there might be a typo for one of monitoring ips in OVH docs at What are the IP addresses of the OVH monitoring ? | OVH Docs list 167.11.37.0/24 where .11. but that isn't owned by OVH but .114. is
    Code (Text):
     curl ipinfo.io/167.11.37.1
    {
      "ip": "167.11.37.1",
      "hostname": "No Hostname",
      "city": "Hull",
      "region": "Quebec",
      "country": "CA",
      "loc": "45.4207,-75.7023",
      "postal": "k1a 0g4"
    }
    

    Code (Text):
    curl ipinfo.io/167.114.37.1
    {
      "ip": "167.114.37.1",
      "hostname": "netmon-1-bhs.ovh.ca",
      "city": "Montreal",
      "region": "Quebec",
      "country": "CA",
      "loc": "45.5040,-73.5747",
      "org": "AS16276 OVH SAS",
      "postal": "h3a 1k2"
    }
    

    Check logs and 167.114.37.1 is blocked for ICMP ping inbound
    Code (Text):
    grep -i 'ICMP_IN Blocked' /var/log/messages| tail -5| awk '{print $1,$2,$3,$5,$6,$7,$8,$9,$12,$13,$19,$20}'; date
    Apr 18 18:30:03 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.110 DF PROTO=ICMP
    Apr 18 18:30:06 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.112 DF PROTO=ICMP
    Apr 18 18:30:07 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.117 DF PROTO=ICMP
    Apr 18 18:30:09 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.118 DF PROTO=ICMP
    Apr 18 18:53:17 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.116 DF PROTO=ICMP
    Tue Apr 18 19:31:57 UTC 2017
    


    Confirmed by OVH support typo
     
    Last edited: Apr 20, 2017
  13. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:40 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  14. Jimmy

    Jimmy Well-Known Member

    1,707
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +923
    Local Time:
    1:40 AM
    1.17.x
    MariaDB 10.3.x
    I was reading up on ssh_config and people adding multiple IPs to OVH via a new interface might want to limit the IPs available to the main server IP.

    Code:
    # nano /etc/ssh/sshd_config
    Code:
    ListenAddress xxx.xxx.xxx.xxx
     
  15. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:40 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    excellent tip !
     
  16. Jimmy

    Jimmy Well-Known Member

    1,707
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +923
    Local Time:
    1:40 AM
    1.17.x
    MariaDB 10.3.x
    For some reason when I add ListenAddress <main.server.ip.address> it locks me out of the system?????

    Not sure what is going on?

    I made all the changes to the sshd_config prior to adding the ListenAddress. Rebooted. Logged back in. Added ListenAddress. Locked out.

    Code:
    ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused
    
     
    Last edited: Apr 19, 2017
  17. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:40 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    don't mix up /etc/ssh/sshd_config (correct) vs /etc/ssh/ssh_config (incorrect)

    former = server
    latter = client
     
  18. Jimmy

    Jimmy Well-Known Member

    1,707
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +923
    Local Time:
    1:40 AM
    1.17.x
    MariaDB 10.3.x
    That was a spelling mistake on my part. Making all changes to /etc/ssh/sshd_config

    Still can't figure out why this isn't working. I'm on stock centos 7 without CMM.

    Code:
    OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
    debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 2: include /etc/crypto-policies/back-ends/openssh.config matched no files
    debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for *
    debug1: Connecting to <main.server.ip.address> [<main.server.ip.address>] port 22.
    debug1: connect to address <main.server.ip.address> port 22: Connection refused
    ssh: connect to host <main.server.ip.address> port 22: Connection refused
    
     
    Last edited: Apr 19, 2017
  19. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:40 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    is sshd listening on correct ip/port
    Code (Text):
    grep 'listening' /var/log/secure
     
  20. Jimmy

    Jimmy Well-Known Member

    1,707
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +923
    Local Time:
    1:40 AM
    1.17.x
    MariaDB 10.3.x
    Hard for me to check. I can't login. I'm reinstalling now.