Hi Folks,
Those of you who run a VPS hosting business and use Nodewatch have probably seen Nodewatch suspending a customer's VPS for seemingly no reason at all.
The customer would tell you that they only got their VPS literally 5 minutes ago and installed pptp server. And yet, a few seconds later, VPS gets suspended by Nodewatch for a DoS attack (with a nice log showing a synflood attack where the VPS seems to be attacking itself).
In cases like this the customer is blaming the host, and the host is blaming Nodewatch for "false positives".
So we have finally found the culprit. It is a popular pptp autoinstaller script users use on their Debian servers. It can be downloaded from http://dadi.me/wp-content/uploads/dir/VPN/pptp_ovz_debian.sh
This script sets one incorrect iptables rule that makes a VPS "DoS" itself. Here it is:
iptables -t nat -A POSTROUTING -j SNAT --to $ip
($ip contains main VPS IP)
Long story short[er], the correct rule should be:
iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -j SNAT --to-source $ip
#10.1.0.0/24 - this subnet is what is assigned to pptp users according to this script.
Does anyone know how to contact the creator of this script?