Shit Host Protected By a Good Host.

Veruse

Member
Mar 4, 2017
3
1
35
Hey, first of all this is my first post so please don't butcher me!

I have about 4 servers from hetzner however their ddos protection utter shit. I have an OVH game VPS with 5 IPs. Could I make it so hetzner data goes through ovh?

e.g

Client -> OVH -> Hetzner

and

Hetzner -> OVH -> Client

Thanks.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Hey, first of all this is my first post so please don't butcher me!

I have about 4 servers from hetzner however their ddos protection utter shit. I have an OVH game VPS with 5 IPs. Could I make it so hetzner data goes through ovh?

e.g

Client -> OVH -> Hetzner

and

Hetzner -> OVH -> Client

Thanks.
Quick question.. what do you want to do with the server? Like host a website, TeamSpeak, or what? The answer can change..

But for the most part, NAT will probably be easier and work well: read up here https://serverfault.com/a/384479

One more good read: https://ipwithease.com/proxy-vs-nat/

Your two main options are NAT and proxy (or reverse proxy).
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
For a website look into setting up a reverse proxy properly.

I completely agree with you if he is using the server(s) especially for websites. It will be important to notice all IP address will show as the server acting as the reverse proxy (or load balancer).

The setup would look like this:

Client has Google Chrome installed.

OVH can act as your reverse proxy or load balancer, this is where we want to catch and stop attackers - before they reach the Hetzner service(s). Consider hardening your system's firewall (netfilter/iptables), utilize NGINX, HAProxy, or Traefik for reverse proxying ( ). Make sure to proxy all traffic, so the connection looks like client (visitor) >> OVH (reverse proxy - consider load balancing since you have multiple other servers and try to use segmentation) >> Hetzner could be used to host services that are cleaned by? Cloudflare, your OVH proxy/balancer, and ultimately consider blocking as many attacks as possible for security purposes but be careful because too much (or poorly configured) firewall rules/filtering can eat resources and trigger a DoS on yourself.. https://github.com/SpiderLabs/ModSecurity-nginx -- https://serverfault.com/a/758499 you can use ONLY ports 22/443 (SSH/HTTPS) if you want.. this can cut down possible external attacks somewhat.

Hetzner has your Apache (or any other web server daemon) installed and configured with most efficient setup, please consider the idea of segmentation where you keep all your services/servers separated for example containerize the database server, file system, and such - or keep them on separate VPS servers. Make sure to finely configure all your services for maximum efficiency e.g. for XenForo I would look into caching ( https://xenforo.com/community/threads/please-help-sql-caching-optimization.123900/ ), focus on caching of anything interpreted/executed/queries/whatever!! Think about it like this, your input and output are all limited resources via processing/memory/network (packets).. unlimited wants with limited resources. So kind of like budgeting (setting an allowance for spending, bills, etc).. you need to do the same thing with your resources. You can do this by creating a container, virtual machine, or properly setting configurations, rate limiting, load balancing, firewalls, selecting the right hosting providers.. if OVH is the strongest hosting provider and you just want to put that at the front line (or even better would be Cloudflare or another good CDN).
 

Attachments

  • 1562245925977.png
    1562245925977.png
    77.6 KB · Views: 13

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
You can do this easily by using SNAT & DNAT of IPTABLES , search a little bit on Google. It is a piece of cake.
 
Top