OVH OVH dedicated servers

Jimmy · Apr 19, 2017

You have to move the entire block. Option to move is only in the options for the block and not the individual ips in that block. If you ordered a single ip, you can move that single IP. Also, you can move IPs from the VPS to Dedi if you want.

Is the addips.sh available or is just something you're testing?

eva2000 · Apr 19, 2017

Jimmy said: ↑

You have to move the entire block. Option to move is only in the options for the block and not the individual ips in that block. If you ordered a single ip, you can move that single IP. Also, you can move IPs from the VPS to Dedi if you want.
Click to expand...

Thanks for that info. Guess next time I'd order a smaller block if I only need to move some ips.

Jimmy said: ↑

Is the addips.sh available or is just something you're testing?
Click to expand...

just something I am testing for myself right now

Jimmy · Apr 19, 2017

I get the OVH monitoring waring all the time on my cPanel VPS. So I guess we should add the csfpre.sh example to stop that warning on servers with CMM and multiple IPs?

eva2000 · Apr 19, 2017

Jimmy said: ↑

I get the OVH monitoring waring all the time on my cPanel VPS. So I guess we should add the csfpre.sh example to stop that warning on servers with CMM and multiple IPs?
Click to expand...

Yup.. strange i don't get it at all with my OVH MC-32 server after each test centos OS reload and fresh centmin mod install. Only started getting the email warnings right after adding additional ips.

rdan · Apr 19, 2017

I don't use extra IP Eva :}.

eva2000 · Apr 19, 2017

i see

strange it's still happening for me, the alert was last sent ~40 minutes ago! hmmm

Jimmy · Apr 19, 2017

I get those warning when I restart my server. Not sure why OVH would be checking any of the FO IPs... only the main IP of the server.

Since my server takes so long to restart it issues me a fault email every time I reboot.

I was thinking about just turning off the monitoring.

eva2000 · Apr 19, 2017

ah seems monitoring OVH system has other ips to whitelist as /var/log/messages shows ICMP_IN ping blocked entries for ip 92.222.185.1

Code (Text):

curl ipinfo.io/92.222.185.1
{
  "ip": "92.222.185.1",
  "hostname": "netmon-1-sbg.ovh.net",
  "city": "Paris",
  "region": "Île-de-France",
  "country": "FR",
  "loc": "48.8628,2.3292",
  "org": "AS16276 OVH SAS",
  "postal": "75001"
}

What are the IP addresses of the OVH monitoring ? | OVH Docs more sources to whitelist

So /etc/csf/csf.conf UDP_IN/UDP_OUT ports need adding 6100:6200

Code (Text):

# Allow incoming UDP ports
UDP_IN = "67,68,1110,33434:33534,20,21,53,6100:6200"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "67,68,1110,33434:33534,20,21,53,113,123,6100:6200"

And in /etc/csf/csfpre.sh replace IP.250 and IP.249 with your specific ip so if ip = aaa.bbb.ccc.ddd use aaa.bbb.ccc.250 and only for OVH HG server products add aaa.bbb.ccc.249 and full iptables list becomes

Code (Text):

#!/bin/bash
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.sbg.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.bhs.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-rbx-100 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-sbg-100 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-gra-100 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-bhs-100 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-rbx-101 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-rbx-102 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-rbx-103 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-gra-101 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source a2.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.184.0/24 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.185.0/24 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.186.0/24 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 167.11.37.0/24 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source IP.250 -j ACCEPT # IP = aaa.bbb.ccc according to the previous rule
/sbin/iptables -A INPUT -i eth0 -p icmp --source IP.249 -j ACCEPT # temporary, only for HG server

make executable and restart CSF Firewalll

Code (Text):

chmod +x /etc/csf/csfpre.sh
csf -r

though restarting CSF Firewall gets an errror

Code (Text):

Command:[/bin/sh /etc/csf/csfpre.sh]
Error:[iptables v1.4.21: host/network `mrtg-bhs-100' not found]
You should check through the main output carefully

if i comment out that one

Code (Text):

#/sbin/iptables -A INPUT -i eth0 -p icmp --source mrtg-bhs-100 -j ACCEPT

and restart CSF Firewall, then restarts without errors

then there's more at Firewall — OVH Documentation 0.0.1 documentation which has overlap with hostname based mrtg allowed and outlined at What are the IP addresses of the OVH monitoring ? | OVH Docs instead teh ip is used in later documentation !

so this evolves into merging various OVH documentation to a /etc/csf/csfpre.sh file consisting of below contents - replace IP.250 and IP.249 with your specific ip so if ip = aaa.bbb.ccc.ddd use aaa.bbb.ccc.250 and only for OVH HG server products add aaa.bbb.ccc.249 and full iptables list becomes

Code (Text):

#!/bin/bash
# http://docs.ovh.ca/en/guides-network-firewall.html
# https://docs.ovh.com/gb/en/cloud/dedicated/monitoring-ip-ovh/
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.sbg.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source proxy.bhs.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.244 -j ACCEPT # Monitoring
/sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.245 -j ACCEPT # Monitoring
/sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.246 -j ACCEPT # Monitoring
/sbin/iptables -A INPUT -i eth0 -p icmp --source 151.80.231.247 -j ACCEPT # Monitoring
/sbin/iptables -A INPUT -i eth0 -p icmp --source 37.187.231.251 -j ACCEPT # Monitoring
/sbin/iptables -A INPUT -i eth0 -p icmp --source a2.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.184.0/24 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.185.0/24 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 92.222.186.0/24 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 167.114.37.0/24 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source IP.250 -j ACCEPT # IP = aaa.bbb.ccc according to the previous rule
/sbin/iptables -A INPUT -i eth0 -p icmp --source IP.249 -j ACCEPT # temporary, only for HG server

looks like there maybe other undocumented OVH ips to whitelist as the OVH documentation is all over the place !
Check CSF Firewall blocked ping/icmp entries in /var/log/messages with grep/awk filter and print current date at end to compare with entry times, last blocked ICMP ping entry was ~ 38 mins ago

Code (Text):

grep -i 'ICMP_IN Blocked' /var/log/messages| tail -5| awk '{print $1,$2,$3,$5,$6,$7,$8,$9,$12,$13,$19,$20}'; date
Apr 18 18:30:03 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.110 DF PROTO=ICMP
Apr 18 18:30:06 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.112 DF PROTO=ICMP
Apr 18 18:30:07 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.117 DF PROTO=ICMP
Apr 18 18:30:09 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.118 DF PROTO=ICMP
Apr 18 18:53:17 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.116 DF PROTO=ICMP
Tue Apr 18 19:31:57 UTC 2017

OVH docs don't mention 167.114.37.1 so what is it ? it's a netmon for OVH BHS!

Code (Text):

curl ipinfo.io/167.114.37.1
{
  "ip": "167.114.37.1",
  "hostname": "netmon-1-bhs.ovh.ca",
  "city": "Montreal",
  "region": "Quebec",
  "country": "CA",
  "loc": "45.5040,-73.5747",
  "org": "AS16276 OVH SAS",
  "postal": "h3a 1k2"
}

looks like OVH docs have a typo as 167.11.37.0/24 range doesn't belong to OVH it's probably meant to be 167.114.37.0/24

Code (Text):

 curl ipinfo.io/167.11.37.1
{
  "ip": "167.11.37.1",
  "hostname": "No Hostname",
  "city": "Hull",
  "region": "Quebec",
  "country": "CA",
  "loc": "45.4207,-75.7023",
  "postal": "k1a 0g4"
}

eva2000 · Apr 19, 2017

mine is on BHS too but see my previous post i updated, seems other OVH guides changed source from hostname to ip based which covers BHS from What are the IP addresses of the OVH monitoring ? | OVH Docs

notice all mrtg-xxx-100 for sbg, gra and bhs use same ip 37.187.231.251

Code (Text):

mrtg-rbx-100    37.187.231.251    icmp
mrtg-sbg-100    37.187.231.251    icmp
mrtg-gra-100    37.187.231.251    icmp
mrtg-bhs-100    37.187.231.251    icmp
mrtg-rbx-101    151.80.231.244    icmp
mrtg-rbx-102    151.80.231.245    icmp
mrtg-rbx-103    151.80.231.246    icmp
mrtg-gra-101    151.80.231.247    icmp
a2.ovh.net    213.186.33.62    icmp
     92.222.184.0/24    icmp
     92.222.185.0/24    icmp
     92.222.186.0/24    icmp
     167.11.37.0/24    icmp
proxy.p19.ovh.net    213.186.45.4    icmp
proxy.rbx.ovh.net    213.251.184.9    icmp
proxy.sbg.ovh.net    37.59.0.235    icmp
proxy.bhs.ovh.net    8.33.137.2    icmp
ping.ovh.net    213.186.33.13    icmp
proxy.ovh.net    213.186.50.98    icmp
     xxx.xxx.xxx.250 (xxx.xxx.xxx.aaa is the server ip)    icmp
     xxx.xxx.xxx.251 (xxx.xxx.xxx.aaa is the server ip)    icmp + Port monitored by the monitoring service

Jimmy · Apr 19, 2017

I deleted my post because I was getting the error. I failed to run the sh.

Jimmy · Apr 19, 2017

Glad you found this... great info @eva2000!

eva2000 · Apr 19, 2017

hmm there might be a typo for one of monitoring ips in OVH docs at What are the IP addresses of the OVH monitoring ? | OVH Docs list 167.11.37.0/24 where .11. but that isn't owned by OVH but .114. is
Code (Text):
 curl ipinfo.io/167.11.37.1
{
  "ip": "167.11.37.1",
  "hostname": "No Hostname",
  "city": "Hull",
  "region": "Quebec",
  "country": "CA",
  "loc": "45.4207,-75.7023",
  "postal": "k1a 0g4"
}
Code (Text):
curl ipinfo.io/167.114.37.1
{
  "ip": "167.114.37.1",
  "hostname": "netmon-1-bhs.ovh.ca",
  "city": "Montreal",
  "region": "Quebec",
  "country": "CA",
  "loc": "45.5040,-73.5747",
  "org": "AS16276 OVH SAS",
  "postal": "h3a 1k2"
}
Check logs and 167.114.37.1 is blocked for ICMP ping inbound
Code (Text):
grep -i 'ICMP_IN Blocked' /var/log/messages| tail -5| awk '{print $1,$2,$3,$5,$6,$7,$8,$9,$12,$13,$19,$20}'; date
Apr 18 18:30:03 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.110 DF PROTO=ICMP
Apr 18 18:30:06 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.112 DF PROTO=ICMP
Apr 18 18:30:07 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.117 DF PROTO=ICMP
Apr 18 18:30:09 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=92.222.185.1 DST=xxx.xxx.xxx.118 DF PROTO=ICMP
Apr 18 18:53:17 kernel: Firewall: *ICMP_IN Blocked* IN=eth0 SRC=167.114.37.1 DST=xxx.xxx.xxx.116 DF PROTO=ICMP
Tue Apr 18 19:31:57 UTC 2017
Confirmed by OVH support typo

Thank you for contacting OVH regarding this situation.

I must inform you that netmon is a part of our monitoring system as well.

Here's the IP that you should whitelist:

netmon-1-rbx.ovh.net 92.222.184.1
netmon-1-bhs.ovh.ca 167.114.37.1
netmon-1-gra.ovh.net 92.222.185.1
netmon-1-sbg.ovh.net 92.222.186.1
Click to expand...

eva2000 · Apr 19, 2017

started dedicated sticky at https://community.centminmod.com/threads/ovh-icmp-ping-whitelist-for-csf-firewall.11427/

Jimmy · Apr 19, 2017

I was reading up on ssh_config and people adding multiple IPs to OVH via a new interface might want to limit the IPs available to the main server IP.
Code:
# nano /etc/ssh/sshd_config
Code:
ListenAddress xxx.xxx.xxx.xxx

eva2000 · Apr 19, 2017

Jimmy said: ↑

I was reading up on ssh_config and people adding multiple IPs to OVH via a new interface might want to limit the IPs available to the main server IP.
Click to expand...

excellent tip !

Jimmy · Apr 19, 2017

eva2000 said: ↑

excellent tip !
Click to expand...

For some reason when I add ListenAddress <main.server.ip.address> it locks me out of the system?????

Not sure what is going on?

I made all the changes to the sshd_config prior to adding the ListenAddress. Rebooted. Logged back in. Added ListenAddress. Locked out.
Code:
ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused

eva2000 · Apr 19, 2017

don't mix up /etc/ssh/sshd_config (correct) vs /etc/ssh/ssh_config (incorrect)

former = server
latter = client

Jimmy · Apr 19, 2017

eva2000 said: ↑

don't mix up /etc/ssh/sshd_config (correct) vs /etc/ssh/ssh_config (incorrect)

former = server
latter = client
Click to expand...

That was a spelling mistake on my part. Making all changes to /etc/ssh/sshd_config

Still can't figure out why this isn't working. I'm on stock centos 7 without CMM.
Code:
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 2: include /etc/crypto-policies/back-ends/openssh.config matched no files
debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for *
debug1: Connecting to <main.server.ip.address> [<main.server.ip.address>] port 22.
debug1: connect to address <main.server.ip.address> port 22: Connection refused
ssh: connect to host <main.server.ip.address> port 22: Connection refused

eva2000 · Apr 19, 2017

is sshd listening on correct ip/port
Code (Text):
grep 'listening' /var/log/secure

Jimmy · Apr 19, 2017

Hard for me to check. I can't login. I'm reinstalling now.

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

OVH OVH dedicated servers

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

OVH OVH dedicated servers

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

.