A virtual local area network (VLAN) is a way of creating multiple logical networks on a single physical network. VLANs can group devices or users based on different criteria, such as function, location, or security level. Devices in the same VLAN can communicate with each other directly, while devices in different VLANs need a router or a switch to communicate.

VLANs enhance network performance, security, and management by reducing broadcast traffic, isolating sensitive data, and simplifying network design and deployment. They use tags to identify which network frames belong to which VLAN. Following the IEEE 802.1Q standard, VLANs include a 32-bit field that contains a VLAN identifier (VID) ranging from 1 to 4094.

This “VLANs Setup Guide – Dedicated Servers & VPSs” article will take you through setting up a VLAN using the automated system within the customer portal to allow you to connect dedicated servers while going even further by connecting them to your VPSs. The guide is divided into three sections, explaining how to create a VLAN for only dedicated servers, only VPSs, and both.

Connecting Dedicated Servers 

This process describes creating a VLAN for communication between your physical dedicated servers using the private link.

1. Head over to Hivelocity.net and log in to the customer portal.
2. Once logged in, the screen below will appear, listing all current devices.
   

   

3. To add dedicated devices to a VLAN, the bonded interfaces would need to first separate to allow such communication. 
   1. Bonded interfaces allow for redundancy thus utilizing both the public and private interfaces. When connecting a device to a VLAN, that bond redundancy is broken to facilitate VLAN communication via the private interface while maintaining the public communication on the public interface.
       
   2. Note 1 – You must perform this bond breaking and interface enabling actions for any dedicated device planned to be added to a VLAN.
   3. Note 2 – Since not all devices are bonded, you can skip the next few steps involving breaking the bond if the device you’re working on is not bonded.
   4. Note 3 – Breaking the bond involves downtime as OS configuration would be required to reflect the changes made. For assistance with moving the OS configuration from a bonded setup to non-bonded in the OS please reach out to the Support team via chat or a support ticket.
      
      
4. Press the device ID# that you wish to add to the network. For this example, #22811 was selected but note that the activity will be done for any dedicated device that is to be added to a VLAN.

   

5. Press on the “Interfaces” button to view the existing interfaces and press on “UNBOND” to break the network bond followed by pressing on “Yes, Disable BOND0” when prompted to disable the bond.
   1. Note that you will be notified of a pending/queued network task. Wait a few minutes until the task is complete which will display on screen when the task is complete.

      

6. Upon completion of the bond breaking process, the following screen will be presented indicating the successful bond breaking and the completed network task. Proceed to press on “Enable” in the eth1 section to enable the second interface which will be used for the network.
   1. Approve the action in the new prompt and allow a few minutes for the new network task to complete

      
      

      

7. Proceed to select the “Networking” tab on the left side menu followed by selecting “VLANs” and “CREATE NEW VLAN”. 

   
   

   

8. In the new screen you will be able to select between a “Public” and “Private” VLAN type and location.
   1. 1. For VLAN Type, choose “Public” if you want to assign IPs to the network to make it reachable from the internet. Choose “Private” if the VLAN should never be reachable from the internet.
      2. For Location, select the facility where the network will be created. Only devices and subnets from the same facility are allowed in the network.

9. For this example, “TPA2” is used since there are 5 devices at that location (2x Dedicated and 3x VPS). Next, select Private, as we wish to create a private network. Finally, press “ADD VLAN,” and the new VLAN will be created.

   

10.  Now that a VLAN was created, adding the devices we wish to add is the next task. Proceed to press on the VLAN ID#.

    

11. On the next page, proceed by pressing “Edit VLAN,” which will display the potential members available to add to the network. Specifically, in this case, these members are the two dedicated servers labeled clever-stonebraker.hivelocitydns.com and romantic-blackwell.hivelocitydns.com.
12. Proceed to select the available devices that are to be added to the network and press on “COMMIT CHANGES”. 

    

13. Press “Submit” to submit the network changes in the next prompt. Once the task is sent, the two devices from the list will disappear and a new network task will begin. Allow it A few minutes to process and upon completion you should see the newly created VLAN. 
14. Once the process is complete, the device’s eth1 ports will be added accordingly in the “Ports” list for the newly created network. Communication between the two devices can now commence once configuration on the private interfaces is made in the OS of all involved devices.
    

    

Connecting Virtual Private Servers via VLAN

This process describes creating a VLAN that can be used between your virtual private servers (VPS) only.

1. Head over to Hivelocity.net and log in to the customer portal.
2. Once logged in, the screen below will appear, listing all current devices.
   

   

3. Proceed to select the “Networking” tab on the left side menu followed by selecting “VLANs” and “CREATE NEW VLAN”.
   
   
   

   

4. Proceed to create a new VLAN by pressing the “Create New VLAN” button. Here you will be able to select between a “Public” and “Private” VLAN type and location.
   1. For VLAN Type, choose “Public” if you want to assign IPs to the VLAN to make it reachable from the internet. Choose “Private” if the VLAN should never be reachable from the internet.
   2. For Location, select the facility where the VLAN will be created. Only devices and subnets from the same facility are allowed in the VLANs.

5. For this example, we will use “TPA2” since there are 5 devices at that location (2x Dedicated and 3x VPS). Next, select Private, as we wish to create a private VLAN. Finally, press “ADD VLAN,” and the new VLAN will be created.

   

6. Head over to the “VPS Networks” tab. This is where the network between the VPSs will be made. Press on “ADD VPS NETWORK”.

   

7. Fill the new VPS network with a “Network Name” of choice, the “Location” where the VPSs are located, and select the VLAN ID that was created in the previous steps. Press on “ADD NETWORK” once ready.

   

8. Once the VPS network is created, it will be visible in the VPS Networks page. Press on the VPS network name that was created to edit it. Processing can take a few minutes before the VPS network appears so allow it some time.

   

9. Press on the “ADD VPS DEVICE” button and select the VPSs you wish to add to the VPS network.
   1. Proceed to select each device and press on “ADD VPS DEVICE” for each.
   2. Allow a few minutes for each network task to complete per device being added.

      

      

10. Once the process is complete, communication between the devices can now commence once configuration on the private interfaces is made in the OS of all involved devices.

    

Connecting Dedicated Servers & Virtual Private Servers 

This process describes creating a VLAN that can be used between dedicated servers and virtual private servers (VPS).

1. Head over to Hivelocity.net and log in to the customer portal.
2. Once logged in, the screen below will appear, listing all current devices.
   

   

3. Proceed to select the “Networking” tab on the left side menu followed by selecting “VLANs” and “CREATE NEW VLAN”.
   
   
   

   

4. Proceed to create a new VLAN by pressing the “Create New VLAN” button. Here you will be able to select between a “Public” and “Private” VLAN type and location.
   1. For VLAN Type, choose “Public” if you want to assign IPs to the VLAN to make it reachable from the internet. Choose “Private” if the VLAN should never be reachable from the internet.
   2. For Location, select the facility where the VLAN will be created. Only devices and subnets from the same facility are allowed in the VLANs.

5. For this example, we will use “TPA2” since there are 5 devices at that location (2x Dedicated and 3x VPS). Next, select Private, as we wish to create a private VLAN. Finally, press “ADD VLAN,” and the new VLAN will be created.

   

6. To establish a connection between the virtual private servers and dedicated servers proceed press on the VLAN ID that was just created.

   

7. On the next page, proceed by pressing “Edit VLAN,” which will display the potential members available to add to the VLAN. Specifically, in this case, these members are the two dedicated servers labeled clever-stonebraker.hivelocitydns.com and romantic-blackwell.hivelocitydns.com.
8. Select the available devices to add to the VLAN and press “Commit Changes.”

   

9. Press “Submit” to submit the VLAN changes in the next prompt. After sending the task, the two devices from the list will disappear, and a new network task will begin. Allow it A few minutes to process and upon completion you should see the newly created VLAN. 
10. Once the process completes, the device’s eth1 ports appear in the “Ports” list for the newly created VLAN.

    

11. Head over to the “VPS Networks” tab. This is where the network between the VPSs will be made. Press on “ADD VPS NETWORK”.

    

12. Fill the new VPS network with a “Network Name” of choice, the “Location” where the VPSs are located, and select the VLAN ID that was created in the previous steps. Press on “ADD NETWORK” once ready.

    

13. Once the VPS network is created, it will be visible in the VPS Networks page. Press on the VPS Network name that was created to edit it. Processing can take a few minutes before the VPS network appears.

    

14. Press on the “ADD VPS DEVICE” button and select the VPSs you wish to add to the VPS network.
    1. Proceed to select each device and press on “ADD VPS DEVICE” for each.
    2. Allow a few minutes for each network task to complete per device being added.

       

       

15. Once the process is complete, the VPSs that were added will display in the VPS Network.

    

16. Now that the dedicated servers and VPSs are connected, communication between the devices can begin after configuring the private interfaces in the OS of all involved devices.

Configuring Communication & Private IPs Within the OS for VLAN-Connected Devices 

Now that you have a private network between your VPSs and Dedicated servers, you can communicate privately among them without having to dip into your public traffic quota.

To configure the private network between your devices within the OS, it is recommended that you contact Hivelocity Support team members by calling 888-869-4678, creating a support ticket via the customer portal, or reaching out via chat through the Hivelocity.net portal. If you would like to proceed on your own, an example is shown below with two AlmaLinux 9 in the displayed split screen.

1. Login to your VPSs as root and use the command ip a to view that you now have “eth1” interface for private communication.

   
   

   

2. Use the command nmtui to alter the network configuration on eth1.

   
   

   

3. Press on “Edit a Connection” and select “Wired Connection 1” followed by selecting “<Edit…> to proceed.

   

4. For example, we will use /24 so any IP address changes will be made only in the last octet.

   1. Select IPv4 Configuration – “Manual”
   2. The first device will be 10.0.0.2/24
   3. The second device will be 10.0.0.3/24.

    

   

5. Once done with the above, press “OK” and head back by pressing the Escape key once.
6. Proceed to select “Activate a connection”.
7. Select “Wired Connection 1” under “Ethernet (eth1) and Press on “Deactivate” followed by “Activate”.
8. Press the Escape key until you are back in the shell.
9. Now use the command ip a to see the new IP information we’ve added.

   
   

   

10. Test the connection by pinging using the ping command to each device from one another. 
    1. If you are experiencing issues communicating between a VPS and a dedicated server, please reach out to the Support team so that they can review and escalate accordingly.

The post VLAN Setup Guide – Dedicated Servers & VPSs appeared first on Hivelocity Hosting.

MTR (My Traceroute) is a Linux/Unix utility that combines Ping and Traceroute functions into one easy-to-use program. MTR is run on a computer to provide detailed hop test data (a series of brief measurements) which provides test results that are a combination of ping and Traceroute. 

MTR continuously sends ping requests to each hop until the test has stopped with each hop in the path and will display the average % of packet loss, total packets sent and received, best, average, worst, and last latency test result. 

Why Does Hivelocity Support Team Require MTRs?

MTRs are required in certain scenarios for the support team to understand and evaluate the route and potential packet loss with each hop. Normally, the team will require an MTR from the server to your workstation or other affected server, along with another from the workstation to the server.

MTR in Linux

What is the MTR Package in Linux?

The mtr package is a command-line network diagnostic tool that combines ping and traceroute into one program, It is also known as MyTraceRoute. The tool continuously sends packets and shows the response time and percentage of each hop from the local system to a destination host. The mtr package is an essential, real-time network diagnostic tool for your sysadmin toolbox.

Installing and Using in Linux

The procedure to install and use MTR in a Linux OS is described below.

1. The mtr package should be already installed in your OS (Skip to step 2 to confirm). If it’s missing, proceed to download it using the following command. Note that the command can change depending on your package manager.

sudo apt install mtr

2. Once it is installed, we will run it using the following command fup to 2 minutes and until the destination is reached. If the destination is not reached, allow it to run for up to 2 minutes. For this example, we will use Google’s DNS server IP of 8.8.8.8.

mtr 8.8.8.8

3. Once the command is used a new display will appear displaying the task being done.

4. The MTR report can be provided to Hivelocity’s support team via a screenshot for further evaluation and interpretation. 

How to Modify

The mtr package has various options to alter the output of the scan. A few examples are listed below with commands and explanations.

• mtr -4 – will use IPv4 only.

• mtr -6 – will use IPv6 only.

• mtr -c <count> – will send a number <count> of pings and exit.

• mtr -n – will not resolve hostnames to Ip addresses.

MTR in Windows 

What is WinMTR?

WinMTR is a Windows clone of MTR and is managed directly within their UI which allows you to run MTRs via the Windows OS. In the app, you will enter the IP or domain name of the target host in the “Host” bar, and then press Start. This will continue sending packets until you press the Stop button. The report that is made later can be exported later.

Installing and Using in Windows

The procedure to install WinMTR in Windows can be found below.

1. Proceed to the Cnet webpage to reach the download link for the portable version.

1. Note that if the link is not working, using Google to search WinMTR should be sufficient.

2. Press on the “Download Now” to download the latest version, as shown below.

3. The next page will begin downloading the .exe file to your computer. Once the download is complete, begin installing the application.

4. Once the application has been installed, proceed to open the application.

5. In the application’s main screen, enter the IP you wish to run and press the Start button.

6. Run it for up to 2 minutes and until the destination is reached. If the destination is not reached, allow it to run for up to 2 minutes For this example we will use one of Google’s DNS server IP, 8.8.8.8 for the host IP part. An example task report can be found below.

7. The report can be provided to Hivelocity’s support team via a screenshot, by using the “Export HTML” option, or by using the “Export TEXT” option for further evaluation and interpretation.

How to Modify

Pressing the “Options” button will open various fields which can be modified. Most of the various options in that section should not be modified but what can often be used to provide a report with just IP addresses is to uncheck the “Resolve names” option. Once that has been performed, run the task once more.

The post MTR Report how to Generate in Linux and Windows appeared first on Hivelocity Hosting.

CISCO IOS

This is a template IOS configuration that should work for most sites, but pay attention to the comments and notes. If your IOS devices synchronize with a device that is capable of MD5 authentication, see further below for authentication-specific statements. If you use control plane policing, be sure you account for NTP traffic. You might also be interested in adding the log tag to some of your ACLs so you know who is trying to talk NTP to your boxes, but that is best left as a local decision so we have not included it by default.

! Core NTP configuration
ntp update-calendar             ! update hardware clock (certain hardware only, i.e. 6509s)
ntp server 192.0.2.1            ! a time server you sync with
ntp peer   192.0.2.2            ! a time server you sync with and allow to sync to you
ntp source Loopback0            ! we recommend using a loopback interface for sending NTP messages if possible
!
! NTP access control
ntp access-group query-only 1   ! deny all NTP control queries
ntp access-group serve 1        ! deny all NTP time and control queries by default
ntp access-group peer 10        ! permit time sync to configured peer(s)/server(s) only
ntp access-group serve-only 20  ! permit NTP time sync requests from a select set of clients
!
! access control lists (ACLs)
access-list 1 remark utility ACL to block everything
access-list 1 deny any
!
access-list 10 remark NTP peers/servers we sync to/with
access-list 10 permit 192.0.2.1
access-list 10 permit 192.0.2.2
access-list 10 deny any
!
access-list 20 remark Hosts/Networks we allow to get time from us
access-list 20 permit 192.0.2.0 0.0.0.255
access-list 20 deny any 

Simple NTP authentication using MD5 in IOS can easily be managed for a limited set of static peers and upstream time providers that support it. Since this is generally a manual process, MD5 authentication support for a a large set of clients is likely to be unwieldy. Nonetheless, this feature provides some additional protection from unwanted NTP messages. This example assumes that you create an ‘ntp authentication-key’ for each peer/server. The key can be re-used, but we do not recommend re-using the same key with peers or upstreams from different autonomous systems. Also create a ‘ntp trusted-key’ line for each keyid you’ve configured. Please note, we have seen some gear limit the pass phrase to eight characters.

ntp authenticate                            ! enable NTP authentication
ntp authentication-key [key-id] md5 [hash]  ! define a NTP authentication key
ntp trusted-key [key-id]                    ! mark a NTP authentication key as trusted
ntp peer [peer_address] key [key-id]        ! form a authenticated session with a peer
ntp server [server_address] key [key-id]    ! form a authenticated session with a server 

The following commands may prove helpful to monitor or debug NTP issues on IOS.

! general NTP and clock status
show ntp status
! lists synchronization details with configured peer(s)/server(s)
show ntp associations [detail]
! shows or logs detailed NTP messages/packets
! WARNING: not recommended for general use in a production network!!
debug ntp [...]

JUNIPER JUNOS

The following configuration statements will define one or more time servers the router will obtain time from. The boot-server option is used to get a significantly skewed clock back into sync. To protect the local ntpd process in JUNOS you can use firewall filters on the loopback interface as you likely do for other services. Authentication can also be done on the Juniper ntpd process and it can be easily managed for a limited set of static peers and upstream time providers that support it. Since this is generally a manual process, authentication support for a large set of clients is likely to be unwieldy. Nonetheless, this feature provides some additional protection from unwanted NTP messages. This example assumes that you create an ntp ‘authentication-key’ for each peer/server. The key can be re-used, but we do not recommend re-using the same key with peers or upstreams from different autonomous systems. Where you see the [key-id] option, adjust that statement according to your authentication setup, if any.

system {
    ntp {
        authentication-key [key-id] type md5 value "[pass-phrase]";
        trusted-key [key-id];
        /* Allow NTP to sync if server clock is significantly different than local clock */
        boot-server 192.0.2.1;
        /* NTP server to sync to */
        server 192.0.2.1;
        server 192.0.2.2 key [key-id] prefer;
    }
}

You can use your loopback filter that shields the router from other anonymous access to also limit who the local NTP service talks to. The relevant section of that filter might look something like the following:

from {
    source-address {
        0.0.0.0/0;
        /* NTP server to get time from */
        192.0.2.1/32 except;
    }
    protocol udp;
    port ntp;
}
then {
    discard;
}

You must then eventually have a default accept-all rule or, if you have a default deny, you must explicitly allow your router to talk to whatever NTP systems it uses for time synchronization. For example, to add a explicit rule to permit NTP traffic, your configuration might look something like this:

from {
    source-address {
        /* NTP server to get time from */
        192.0.2.1/32;
    }
    protocol udp;
    port ntp;
}
then {
    accept;
}

UNIX NTPD

The following configuration is for a UNIX machine to act as simply an NTP client and never to allow NTP queries to it except from the loopback address:

# by default act only as a basic NTP client
restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap
# allow NTP messages from the loopback address, useful for debugging
restrict 127.0.0.1
restrict ::1
# server(s) we time sync to
server 192.0.2.1
server 2001:DB8::1
server time.example.net

You can use your standard host firewall filtering capabilities to limit who the NTP process talks to. If you’re using Linux and the host is acting as an NTP client only, the following iptables rules could be adapted to shield your NTP listener from unwanted remote hosts.

-A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT

Authentication with the reference NTP software on UNIX can be done using symmetric key encryption, much like in Cisco IOS and Juniper JUNOS, using MD5. However, a public key-based approach called ‘AutoKey’ is also available, which is generally be considered to be even more secure. For more information about these options, see the NTP authentication options page and the Configuring Autokey documentation.

A NOTE ABOUT BROADCAST/MULTICAST NTP

If you do not need multicast NTP support, but you do support IP multicast on your network, you should consider filtering the well known multicast group address for NTP (224.0.1.1) at your border.

A NOTE ABOUT BORDER NTP FILTERING

Some networks may consider filtering all or some NTP traffic between their network and others. This is potentially very troublesome and should only be considered and implemented with a full understanding of the ramifications. We cannot advocate this action by default, but can offer some guidelines to those who wish to do so.

All packets to/from TCP port 123 should be safe to filter since NTP by design only uses UDP. This might, however, affect anyone who attempts to setup another application on TCP port 123 for some reason or any possible future extension of NTP that might use TCP.

Filtering packets from your networks to external networks with UDP source port 123 and/or packets to your networks from external networks with UDP destination port 123 will certainly prevent your hosts from communicating as NTP servers to outside entities, but it may also prevent some NTP hosts from acting as NTP clients as well. We have seen some clients use port 123 for source ports. Filtering in this scenario then may cause problems for those clients.

If you can ensure your internal hosts will only act as clients and all legitimate clients will use an unprivileged client port selection strategy you could probably apply the above aforementioned filter. We would recommend logging or monitoring the filters to assist with troubleshooting should it be necessary. Also, use your systems’s built in NTP monitoring capabilities to ensure all your NTP client systems remain in sync.

If you block all UDP 123 traffic so that no clients may talk to external servers, you should ensure all your internal hosts are setup to use one or more internal NTP servers. Since many system components rely on an accurate notition of time and most use NTP to do so, it is important to provide this service. Note, except for the most limited and restrictive of networks, we do not find it necessary to completely block NTP for all your hosts as long as those hosts can be secured in the kinds of ways suggested in the template configs above.

The post Secure network time protocol (NTP) appeared first on Hivelocity Hosting.

Installed on your server.Once that is done ,you can refer the following steps to install BFD:

Step I – SSH into your hosting server as root.

Step II – Create a temporary directory for storing the downloaded files

mkdir /root/myfiles
cd /root/myfiles

Step III – Using the below command, you must download BFD from rfxnetworks:

wget https://www.rfxnetworks.com/downloads/bfd-current.tar.gz

Step IV – Extract the files onto the server and make changes to the new directory:

tar -xvzf bfd-current.tar.gz
cd bfd-1.4

Step V – Using the below command you must run the installation file:

./install.sh

You should be able to see a similar message as shown below :

.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

You go through the documentation containing details on configuration of BFD and making use of the APF firewall rules in affiliation. You can configure it according to your requirements and then fire the below command :

/usr/local/sbin/bfd -s

The post What are the Steps to Install BFD (Brute Force Detection)? appeared first on Hivelocity Hosting.

Setup the machine / network keeping security in mind

Setup a firewall which does Ingress and Egress Filtering at Gateway.

Eg: Steps to Install AFP

bash# wget https://www.rfxnetworks.com/downloads/apf-current.tar.gz

bash# tar -zxf apf-current.tar.gz

bash# cd apf-<version number>

bash# ./install.sh

Go through the Document in the Apf and configure it as per your convenience. All configuration is set at conf.apf which is normally located at /etc/apf/conf.apf

Enable Anit-DOS mode in Apf (ie in conf.apf) . Also make sure that your root’s cron has an entry

similarly
*/8 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1

—–

Install IDS on your gateway/hosts to alert you :

Eg: AIDE

———-

(a) Wget ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz

(b) Untar it

tar -zxvf aide-0.7.tar.gz

(c) cd aide-0.7

(d) Then execute

./configure -with-gnu-regexp

(e) Final steps to install make;make install

(f) Now the real step..To configure AIDE: AIDE stores all its rule sets in the file called aide.conf. Lets ate it get more details on how to configure from man aide.conf

(g) Here is an example .See below

Here is a sample short aide.conf:

Rule = p+i+u+g+n+s+md5

/etc p+i+u+g

/sbin Rule

/usr/local/apache/conf Rule

/var Rule

!/var/spool/.*

!/var/log/.*

In the above configuration , a rule called “Rule” is set to check permissions (p), inode (i), user (u), group (g), number of links (n), size (s), and md5 checksum (md5). These rules are applied to all files in /bin, /sbin, /var, and /usr/local/apache/conf since they won’t change. Files in /etc are checked for changes in only permissions, inode, user, and group because their size may change, but other things shouldn’t. Files and directories in /var/spool and /var/log are not checked because those are folders where maximum updation takes place.

(h) After configuration is successfully done, AIDE should be initiated with all these rules.
For that execute aide –init

The post How to prevent the DDOS? appeared first on Hivelocity Hosting.

The IP Pool also provides the mechanism by which IP usage can be tracked. You can immediately see the complete list of allocated IPs and identify the locations on which each IP is currently being used within your environment.

Click the IP Pool icon on the Home page to access the IP pool. It displays the list of IP addresses that were granted (exclusively or as shared):

The Hosting column displays the number of your domains that use (have hosting configured) the corresponding IP address.
Viewing the hosting configured for an IP and setting a default domain

You can view the domains that have hosti

The post How do I manage the IP’s? appeared first on Hivelocity Hosting.

Notes:
192.168.1.1 is the example base IP address of the server, You need to change this
192.168.1.2 is *your* IP address. You *must* change this otherwise you’ll lock yourself out of the server.
This example would be saved to file /etc/sysconfig/iptables
You need to load the ip_conntrack_ftp module into the kernel when iptables is started. You add this module name in /etc/rc.d/init.d/iptables
Change;
IPTABLES_MODULES=””
To;
IPTABLES_MODULES=”ip_conntrack_ftp”
################################################## #####
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BLOCK_NET – [0:0]
# Handle Passive FTP (remember to enable ip_conntrack_ftp module)
-A OUTPUT -p tcp -m tcp -m state –dport 1024:65535 –sport 1024:65535 –state RELATED,ESTABLISHED -j ACCEPT
# Server Base IP address
-A INPUT -s 192.168.1.1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Management IPs (VERY IMPORTANT TO PUT YOUR IP HERE otherwise you’ll be locked out)
-A INPUT -s 192.168.1.2 -j ACCEPT
# End Management IPs
# Run Block bad networks chain
-A INPUT -j BLOCK_NET
# Handle Passive FTP (remember to enable ip_conntrack_ftp module in the iptables init script)
A INPUT -p tcp -m tcp -m state –dport 1024:65535 –sport 1024:65535 –state ESTABLISHED -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 20:21 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -p udp -m udp –dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 113 -j DROP
-A INPUT -p tcp -m tcp –dport 135 -j DROP
-A INPUT -p tcp -m tcp –dport 136 -j DROP
-A INPUT -p tcp -m tcp –dport 137 -j DROP
-A INPUT -p tcp -m tcp –dport 138 -j DROP
-A INPUT -p tcp -m tcp –dport 139 -j DROP
-A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 445 -j DROP
-A INPUT -p tcp -m tcp –dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 593 -j DROP
-A INPUT -p tcp -m tcp –dport 777 -j DROP
-A INPUT -p tcp -m tcp –dport 778 -j DROP
-A INPUT -p tcp -m tcp –dport 837 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 1025 -j DROP
-A INPUT -p tcp -m tcp –dport 1080 -j DROP
-A INPUT -p tcp -m tcp –dport 1434 -j DROP
-A INPUT -p tcp -m tcp –dport 1433 -j DROP
-A INPUT -p tcp -m tcp –dport 3128 -j DROP
-A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 4321 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 4444 -j DROP
-A INPUT -p tcp -m tcp –dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 6667 -j DROP
-A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 8443 -j ACCEPT
-A INPUT -p udp -m udp –dport 137:138 –sport 137:138 -j DROP
# Logging to /var/log/messages
-A INPUT -p tcp -m tcp -j LOG –log-prefix “AUDIT TCP “
-A INPUT -p tcp -m tcp -j REJECT –reject-with tcp-reset
-A INPUT -p udp -m udp -j LOG –log-prefix “AUDIT UDP “
-A INPUT -p udp -m udp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp –icmp-type 8 -j LOG
# mangle section
*mangle
REROUTING ACCEPT [1591876424:227299011220]
:INPUT ACCEPT [1591816598:227294667655]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1765890237:977040975279]
:POSTROUTING ACCEPT [1765890154:977040909847]COMMIT
# NAT section
*nat
PREROUTING ACCEPT [10032111:558215684]
:POSTROUTING ACCEPT [5152283:290989829]
:OUTPUT ACCEPT [3923347:241838349]
COMMIT
################################################## #####

The post Default IPTables Configuaration for HSphere appeared first on Hivelocity Hosting.

# apt-get install nfs-kernel-server
# echo "/ *.domainname-for-lan-hosts(rw,no_root_squash,nohide)" \
>> /etc/exports

The post How do I setup NFS? appeared first on Hivelocity Hosting.

Placing:

inetd_enable=”YES”

or

inetd_enable=”NO”

into /etc/rc.conf will enable or disable inetd starting at boot time.

The command:

/etc/rc.d/inetd rcvar

can be run to display the current effective setting.

The post How is inetd initialized? appeared first on Hivelocity Hosting.

To configure your TCP/IP Address settings in Windows, follow these 7 steps:

1. Open Network Connections.*
2. Right-click the network connection you want to configure, and then click Properties.
3. On the General tab (for a local area connection) or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
4. Click Use the following IP address, and do one of the following:
   • For a local area connection, in IP address, Subnet mask, and Default gateway, type the IP address, subnet mask, and default gateway addresses.
   • For all other connections, in IP address, type the IP address.
5. Click Use the following DNS server addresses.
6. In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.
7. To configure advanced static address settings for a local area connection, click Advanced, and do one or more of the following:
   • To configure additional IP addresses:
     1. On the IP Settings tab, in IP addresses, click Add.
     2. In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add.
     3. Repeat steps 1 and 2 for each IP address you want to add, and then click OK.
   • To configure additional default gateways:
     1. On the IP Settings tab, in Default gateways, click Add.
     2. In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default route metric, clear the Automatic metric check box and type a metric in Metric.
     3. Click Add.
     4. Repeat steps 1 through 3 for each default gateway you want to add, and then click OK.
   • To configure a custom metric for this connection, clear the Automatic metric check box, and then type a metric value in Interface metric.

*Notes:

1. To perform this procedure, you must be a member of the Administrators group or the Network Configuration Operators group on the local computer.
2. To open Network Connections, click Start, click Control Panel, and then double-click Network Connections.

And there you have it! You now know how to configure TCP/IP Settings within Windows.

Popular Links

Looking for more information on IP Addresses? Search our Knowledge Base!

Interested in more articles about Networks? Navigate to our Categories page using the bar on the left or check out these popular articles:

• TCP/IP Registry Values that Harden the TCP/IP Stack (Windows 2003 Servers)
• Disable TCP/IP Packet Filtering
• Secure Network Time Protocol (NTP)

Popular tags within this category include: DDoS, NTP, IP Addresses, and more.

Don’t see what you’re looking for? Use the search bar at the top to search our entire Knowledge Base.

The Hivelocity Difference

Seeking a better Dedicated Server solution? In the market for Private Cloud or Colocation services? Check out Hivelocity’s extensive list of products for great deals and offers.

With best-in-class customer service, affordable pricing, a wide-range of fully-customizable options, and a network like no other, Hivelocity is the hosting solution you’ve been waiting for.

Unsure which of our services is best for your particular needs? Call or live chat with one of our sales agents today and see the difference Hivelocity can make for you.

The post How To Configure TCP/IP Settings in Windows appeared first on Hivelocity Hosting.

The following list explains the TCP/IP-related registry values that you can configure to harden the TCP/IP stack on computers that are directly connected to the Internet. All of these values should be created under the following registry key, unless otherwise noted:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es

NOTE: All values are in hexadecimal unless otherwise noted.
Value name: SynAttackProtect
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0,1
Default: 0

This registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly during a SYN attack (a type of denial of service attack).

The following parameters can be used with this registry value:
0 (default value): Set SynAttackProtect to 0 for typical protection against SYN attacks.

1: Set SynAttackProtect to 1 for better protection against SYN attacks. This parameter causes TCP to adjust the retransmission of SYN-ACKS. When you set SynAttackProtect to 1, connection responses time out more quickly if the system detects that a SYN attack is in progress. Windows uses the following values to determine whether an attack is in progress:
TcpMaxPortsExhausted
TCPMaxHalfOpen
TCPMaxHalfOpenRetried
Value name: EnableDeadGWDetect
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)

The following list explains the parameters that you can use with this registry value:

1: When you set EnableDeadGWDetect to 1, TCP is permitted to perform dead-gateway detection. When dead-gateway detection is enabled, TCP may ask the Internet Protocol (IP) to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways are defined in the Advanced section of the TCP/IP configuration dialog box in the Network tool in Control Panel.

0: Microsoft recommends that you set the EnableDeadGWDetect value to 0. If you do not set this value to 0, an attack may force the server to switch gateways and cause it to switch to an unintended gateway.
Value name: EnablePMTUDiscovery
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)

The following list explains the parameters that you can use with this registry value:

1: When you set EnablePMTUDiscovery to 1, TCP tries to discover either the maximum transmission unit (MTU) or the largest packet size over the path to a remote host. TCP can remove fragmentation at routers along the path that connect networks with different MTUs by discovering the path MTU and limiting TCP segments to this size. Fragmentation adversely affects TCP throughput.

0: Microsoft recommends that you set EnablePMTUDiscovery to 0. When you do so, an MTU of 576 bytes is used for all connections that are not hosts on the local subnet. If you do not set this value to 0, an attacker may force the MTU value to a very small value and overwork the stack.
Value name: KeepAliveTime
Key: Tcpip\Parameters
Value Type: REG_DWORD-Time in milliseconds
Valid Range: 1-0xFFFFFFFF
Default: 7,200,000 (two hours)

This value controls how frequently TCP tries to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. Keep-alive packets are not sent by default. You can use a program to configure this value on a connection. The recommended value setting is 300,000 (5 minutes).

Value name: NoNameReleaseOnDemand
Key: Netbt\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 0 (False)

This value determines whether the computer releases its NetBIOS name when it receives a name-release request. This value was added to permit the administrator to protect the computer against malicious name-release attacks. Microsoft recommends that you set the NoNameReleaseOnDemand value to 1.

The post TCP/IP Registry Values That Harden the TCP/IP Stack appeared first on Hivelocity Hosting.