nano /etc/sysctl.conf
kernel.printk = 4 4 1 7
sysctl -p

tek satir:

echo "kernel.printk = 4 4 1 7" >> /etc/sysctl.conf && sysctl -p

1. Block external traffic to your server (outside Cloudflare)
2. Create a WAF to block countries that are not the main source of your traffic, e.g.: China, Russia, Singapore, Korea, Pakistan, India
3. Adjust the rate limit, you can do it through the NGINX configuration, but on Cloudflare it is free 1 rule
4. Configure more aggressive caching on static pages
5. Examine the logs, usually stressers/booters always send a query like “i=XXXX” or others in the URL to bypass the cache, check and block it through Cloudflare’s WAF, it will probably take a while to change, while you can breathe
6. Block ASNs that are part of many attacks, such as AWS, DigitalOcean, Hetzner, Contabo, AT&T, Datacamp, Leaseweb, Quadranet, OVH, ColoCrossing (it was one of the solutions I used to solve it)

Here are my WAF rules:

1. JS Challenge

(ip.geoip.country in {"AL" "AD" "AM" "BY" "BF" "BI" "CN" "FJ" "GF" "GT" "GY" "HT" "HN" "HK" "KP" "KR" "MO" "MW" "MY" "RU" "SG" "SR" "VE" "VN"}) or (cf.threat_score gt 70) or (http.user_agent contains "curl") or (http.user_agent contains "python") or (http.user_agent contains "Go-http-client")

2. Block

(ip.geoip.asnum in {24940 26347 43350 7018 58111 8075 47583 16628 205016 31898 45102 204548 46562 35320 54483 398101 27715 202269 32329 7489 8100 46606 40021 21887 12876 22394 25820 208226 13213 35612 38365 45090 17816 22773 4812 7849 14618 26496 13287 132203 14103 27967 1759 41508 8972 35916 60781 2152 29066 1239 24961 7162 395336 39378 266400 64200 210558 399486 198605 28539 212238 272043 14576 56655 9152 9050 8953 265919 47583 263093 27715 7162 46407 60068 40676 199524 212238 60068 210630 53667 132203 45090 137876 133478 23033 27176 20278 397966 49157 11989 52468 174 1239 58212 20473 6939 16276 6147 6057 3352 397630 5089 7018 20115 701 18779 5650 209 395954 8560 398101 26496 26347 12876 46261 20773 21859 25780 29802 30083 32097 32475 33070 33182 33387 36024 36351 36352 42473 46475 46664 49544 52219 53559 55933 62567 63473 63949 136258 202053 203629 24549 200019 8851 28753 21559 9009 42675 62240 11427 265613 25369 42624 26548}) or (ip.geoip.continent in {"T1"}) or (ip.geoip.country in {"BY" "BA" "BG" "CN" "CY" "SV" "FK" "FO" "GL" "HN" "HU" "JE" "JO" "XK" "LI" "MK" "MT" "MD" "OM" "RS" "SK" "SI" "AE"}) or (http.request.uri.path contains "/cms") or (http.request.uri.path contains "/wp") or (http.request.uri.path contains "/wordpress") or (http.request.uri.path contains ".env") or (http.request.uri.path contains "\\xC9") or (http.request.uri.path contains "xmlrpc.php")

ek goz at: https://github.com/chaitin/SafeLine

zfs zraid2 resilvering cok yavas ne yapalim?
simdilik sadece bunu bulabildim :*(

suncuda 256 Ram var 192 sini kullansin

  echo 206158430208 >/sys/module/zfs/parameters/zfs_arc_max
  echo 206158430208 >/sys/module/zfs/parameters/zfs_arc_min
  echo 5 >/sys/module/zfs/parameters/zfs_scan_mem_lim_fact

sonuncu Yani scrub / resilver işlemleri için kullanılabilecek bellek limiti artık ARC boyutunun 1/5’i (%20) olacak demek

yani benim durumumda Yani scrub / resilver işlemleri maksimum ~38 GB RAM kullanabilir hale gelir.

Not bu degerler on the fly, eger rebot edince bunlar olsun dersen:

nano /etc/modprobe.d/zfs.conf
options zfs zfs_arc_max=206158430208
options zfs zfs_arc_min=206158430208
options zfs zfs_scan_mem_lim_fact=5

eger root file system ZFS ise (bende oyle)
update-initramfs -u -k all

ve reboot

Step 1: Preparing Your Virtual Server

First things first, you need a solid foundation. This means getting a virtual server running a Linux distribution like Debian or Ubuntu. Once you have your server’s IP address and login details, connect to it using SSH.

Before we install anything, it’s crucial to get your server up to date. Run these commands to update your system’s package list and apply any pending upgrades:

sudo apt update
sudo apt upgrade -y

With your system current, you’re ready for the next step.

---

Step 2: Install Dependencies & Create a Secure User

LinuxGSM has a few software requirements to function correctly. You can install them all with a single command.

sudo apt install curl wget file tar bzip2 gzip unzip bsdmainutils python3 util-linux ca-certificates binutils bc jq tmux netcat lib32gcc-s1 lib32stdc++6 steamcmd

For security reasons, you should never run a game server as the ‘root’ user. Let’s create a dedicated user for our Minecraft server. We’ll call it “mcserver”.

sudo adduser mcserver

Follow the prompts to set a password. After the user is created, switch to it:

su - mcserver

---

Step 3: Download and Run LinuxGSM

Now, as the ‘mcserver’ user, we’ll download the LinuxGSM script.

wget -O linuxgsm.sh https://linuxgsm.sh && chmod +x linuxgsm.sh && bash linuxgsm.sh mcserver

This script will download the rest of the necessary files and get the framework in place.

---

Step 4: Install the Minecraft Server

With LinuxGSM ready, installing the actual Minecraft server is incredibly simple. Just run the installer command:

./mcserver install

The script will handle downloading the latest server files from Mojang. It will likely ask you to agree to the Minecraft EULA. Make sure to read it and accept it to continue.

---

Step 5: Open the Port and Launch!

For other players to connect to your server, you need to open the default Minecraft port (25565) in your server’s firewall.

sudo ufw allow 25565/tcp

Now you’re ready for the magic moment! Start your server with this command:

./mcserver start

You can check the server’s status and see live details by running:

./mcserver details

To connect, simply launch Minecraft, go to Multiplayer, click “Add Server,” and enter your server’s IP address.

---

Managing Your Server

LinuxGSM makes server management a breeze. Here are the essential commands:

• Stop the server: ./mcserver stop
• Restart the server: ./mcserver restart
• Update the server: ./mcserver update

---

Extra: according to chatgtp 😀
this also can be achieved using VXLAN setup
Below is this VXLAN setup ( did not tried or experiment this – just for extra information )

Alright — here’s the VXLAN version of your setup.
VXLAN is nice because it uses UDP (default port 4789), which almost always passes through firewalls/NAT, and it’s still Layer 2 capable like gretap.

Network Recap
Provider A (Debian VM) Provider B (Proxmox Node)
Public IP: 38.248.1.150 Public IP: 185.17.1.2
/24: 38.248.1.0/24 (lives in Provider A)
/24 Gateway: 38.248.1.1
Goal: VMs in Provider B keep using their old IPs + gateway over the tunnel

On Provider A (Debian VM)

Install bridge utilities

apt install bridge-utils iproute2

Create VXLAN interface (ID can be any number, must match both sides)

ip link add vxlan100 type vxlan id 100 \
dev eth0 \
remote 185.17.1.2 \
dstport 4789 \
local 38.248.1.150 \
ttl 255

Bring it up with smaller MTU (VXLAN adds ~50 bytes)

ip link set vxlan100 up mtu 1450

Create a bridge for your public NIC + VXLAN

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 vxlan100

Move your IP from eth0 to the bridge

ip addr flush dev eth0
ip addr add 38.248.1.150/24 dev br0
ip link set br0 up
ip route add default via 38.248.1.1

On Provider B (Proxmox Node)
Edit /etc/network/interfaces:

auto vxlan100
iface vxlan100 inet manual
pre-up ip link add vxlan100 type vxlan id 100 \
dev eth0 \
remote 38.248.1.150 \
dstport 4789 \
local 185.17.1.2 \
ttl 255
up ip link set vxlan100 up mtu 1450
post-down ip link del vxlan100

auto vmbr2
iface vmbr2 inet manual
bridge_ports vxlan100
bridge_stp off
bridge_fd 0

! Do not assign the /24 to vmbr2. This bridge is purely for the VMs.

On a Migrated VM in Provider B
Same config as if it were still in Provider A:

IP: 38.248.1.152
Netmask: 255.255.255.0
Gateway: 38.248.1.1

Firewall / Networking Notes
Allow UDP/4789 in both directions (between 38.248.1.150 ↔ 185.17.1.2).

MTU must be reduced to ~1450 (or lower if path MTU is smaller).

Some providers have “anti-MAC spoofing” — if so, you may need to request that they disable it for the VXLAN tunnel endpoints.

Testing
On Provider B:

bridge link show
Should show vxlan100 as a port in vmbr2.

From the migrated VM in Provider B:

ping 38.248.1.1
If it works, you’ve got transparent L2 connectivity over VXLAN.

GRE vs VXLAN Quick Comparison
Feature GRE/gretap VXLAN
Layer 2 capable gretap only Yes
Encapsulation Protocol 47 (GRE) UDP
Likely to pass firewalls Lower Higher
Overhead ~24 bytes ~50 bytes
MTU impact Moderate Slightly more

for not to mess up with the current production system proxmox A, I created a new debian Vm in proxmox A and set up the GRE tunnel between this VM and new Proxmox B node on provider B (New proxmox node is empty)

Provider A (Debian VM)            
Public IP: 38.248.1.150           
/24: 38.248.1.0/24 (in Provider A)
/24 Gateway: 38.248.1.1 (Provider A)

Provider B (Proxmox Node)
Public IP: 185.17.1.2
Gateway: 185.17.1.1

---

On Provider A (Debian VM)

# Install bridge utils if missing
apt install bridge-utils

# Create gretap tunnel
ip link add gre1 type gretap local 38.248.1.150 remote 185.17.1.2 ttl 255

# Bring tunnel up
ip link set gre1 up mtu 1450

# Create a bridge for the tunnel + upstream NIC
brctl addbr br0
brctl addif br0 ens18   # eth0 is your public interface in Provider A
brctl addif br0 gre1

# Assign Provider A’s public IP to the bridge (so Debian VM still works)
ip addr flush dev ens18
ip addr add 38.248.1.150/24 dev br0
ip link set br0 up
ip route add default via 38.248.1.1

---

On Provider B (Proxmox Node)
edit /etc/network/interfaces

auto gre1
iface gre1 inet manual
    pre-up ip link add gre1 type gretap local 185.17.1.2 remote 38.248.1.150 ttl 255
    up ip link set gre1 up mtu 1450
    post-down ip link del gre1

auto vmbr2
iface vmbr2 inet manual
    bridge_ports gre1
    bridge_stp off
    bridge_fd 0
    mtu 1476 # see below for extra notes

end edit and reboot

---

Migrate a VM to Provider A to Provider B
Migrated VM network settings – keep everything intact and original

---

IMPORTANT NOTE:

Because GRE uses more encapsulation overhead.
Lower the MTU in Provider B side
I set the MTU values as below and seems like working (may need a little bit more tweaking)

Provider B Proxmox node set vmbr2 MTU 1476 – already setup in /etc/network/interfaces
On Proxmox node side: Provider B Migrated VM: set net0 network device MTU 1400

---

EXTRA: Mandatory Tests:

From Migrated VM with ip address 38.248.1.152

 Host                             Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 38.248.1.1                     0.0%    11    1.3   1.2   1.0   1.8   0.2
 2. 62.113.192.83                  0.0%    11    1.5   1.6   1.2   2.0   0.2
 3. 62.113.192.91                  0.0%    11    1.1   1.4   1.1   1.8   0.2
 4. 80.150.168.241                 0.0%    11    2.3   2.2   1.8   2.4   0.2
 5. 62.157.248.2                   0.0%    11    1.3   1.5   1.3   1.8   0.2
 6. 212.156.101.219                0.0%    11   48.0  47.9  47.6  48.1   0.1
 7. 81.212.31.191                 20.0%    11   48.1  48.2  47.9  48.4   0.2
 8. 81.212.247.98                  0.0%    11   58.2  58.4  58.1  58.9   0.2
 9. 81.212.246.109                 0.0%    11   58.9  59.0  58.7  59.2   0.2
10. 195.175.103.254                0.0%    10   56.4  57.8  56.3  68.5   3.8
11. (waiting for reply)
12. 198.68.73.68                   0.0%    10   62.1  62.7  60.7  65.0   1.3

---

From My own office connection to Migrated VM

 Host                           Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 192.168.88.1                 0.0%    13    0.3   0.3   0.2   0.3   0.0
 2. (waiting for reply)
 3. 172.25.16.13                 0.0%    13    9.3   8.5   7.0  11.5   1.5
 4. 195.33.217.229               0.0%    12   13.3  13.3  12.5  15.1   0.7
 5. 10.40.174.73                 0.0%    12   14.0  13.9  12.3  15.2   0.8
 6. (waiting for reply)
 7. (waiting for reply)
 8. (waiting for reply)
 9. 89.221.34.189                0.0%    12   55.8  56.1  51.9  70.1   6.0
10. 62.67.110.46                 0.0%    12   79.2  63.0  60.0  79.2   5.2
11. 62.113.192.66                0.0%    12   61.6  61.1  60.2  62.0   0.7
12. 38.248.1.152                 0.0%    12   61.4  62.2  60.8  66.7   1.6

NOT: Hatalar var Dikkatli OL!

Pool Related Commands
# zpool create datapool c0t0d0  - Create a basic pool named datapool
# zpool create -f datapool c0t0d0 - Force the creation of a pool
# zpool create -m /data datapool c0t0d0 - Create a pool with a different mount point than the default.
# zpool create datapool raidz c3t0d0 c3t1d0 c3t2d0 - Create RAID-Z vdev pool
# zpool add datapool raidz c4t0d0 c4t1d0 c4t2d0 - Add RAID-Z vdev to pool datapool
# zpool create datapool raidz1 c0t0d0 c0t1d0 c0t2d0 c0t3d0 c0t4d0 c0t5d0 - Create RAID-Z1 pool
# zpool create datapool raidz2 c0t0d0 c0t1d0 c0t2d0 c0t3d0 c0t4d0 c0t5d0 - Create RAID-Z2 pool
# zpool create datapool mirror c0t0d0 c0t5d0 Mirror c0t0d0 to c0t5d0
# zpool create datapool mirror c0t0d0 c0t5d0 mirror c0t2d0 c0t4d0 - disk c0t0d0 is mirrored with c0t5d0 and disk c0t2d0 is mirrored withc0t4d0
# zpool add datapool mirror c3t0d0 c3t1d0 - Add new mirrored vdev to datapool
# zpool add datapool spare c1t3d0 - Add spare device c1t3d0 to the datapool
# zpool create -n geekpool c1t3d0 - Do a dry run on pool creation

Show file system info
# zfs list - List all ZFS file system
# zfs get all datapool - List all properties of a ZFS file system

Mount/Umount Related Commands
# zfs set mountp oin t=/data datapool/fs1 - Set the mount-point of file system fs1 to /data
# zfs mount datapool /fs1 - Mount fs1 file system
# zfs umount datapool /fs1 - Umount ZFS file system fs1
# zfs mount -a - Mount all ZFS file systems
# zfs umount -a - Umount all ZFS file systems

Import/Export Commands
# zpool import - List pools available for import
# zpool import -a - Imports all pools found in the search directories
# zpool import -d - To search for pools with block devices not located in /dev/dsk
# zpool import -d /zfs datapool - Search for a pool with block devices created in /zfs
# zpool import oldpool newpool - Import a pool originally named oldpool under new name newpool
# zpool import 3987837483 - Import pool using pool ID
# zpool export datapool - Deport a ZFS pool named datapool
# zpool export -f datapool - Force the unmount and deport of a ZFS pool

Clone Commands
# zfs clone datapool/ fs1 @10 jan2014 /clone s/fs1 - Clone an existing snapshot
# zfs destroy datapool/ fs1 @10 jan2014 - Destroy clone

Show Pool Information
# zpool status -x Show pool status
# zpool status -v datapool - Show individual pool status in verbose mode
# zpool list - Show all the pools
# zpool list -o name,size - Show particular properties of all the pools (here, name and size)
# zpool list -Ho name - Show all pools without headers and columns

File-system/Volume related commands
# zfs create datapool /fs1 - Create file-system fs1 under datapool
# zfs create -V 1gb datapool/ vol01 - Create 1 GB volume (Block device) in datapool
# zfs destroy -r datapool - destroy datapool and all datasets under it
# zfs destroy -fr datapool /data - destroy file-system or volume (data) and all related snapshots

Set ZFS file system properties
# zfs set quota=1G datapool /fs1 - Set quota of 1 GB on filesystem fs1
# zfs set reserv ati on=1G datapool /fs1 - Set Reservation of 1 GB on filesystem fs1
# zfs set mountpoint=legacy datapool/ fs1 - Disable ZFS auto mounting and enable mounting through /etc/vfstab.
# zfs set sharen fs=on datapool /fs1 - Share fs1 as NFS
# zfs set compression=on datapool /fs1 - Enable compression on fs1
zfs set record size=[ size] pool/data set /name - 
Set Dataset Record Size (Size should be a value like 16k, 128k, or 1M etc.)
zfs get recordsize pool/data set /name - Get Dataset Record Size

ZFS I/O performance
# zpool iostat 2 - Display ZFS I/O Statistics every 2 seconds
# zpool iostat -v 2 - Display detailed ZFS I/O statistics every 2 seconds

ZFS maintenance commands
# zpool scrub datapool - Run scrub on all file systems under data pool
# zpool offline -t datapool c0t0d0 - Temporarily offline a disk (until next reboot)
# zpool online - Online a disk to clear error count
# zpool clear - Clear error count without a need to the disk

Snapshot Commands
# zfs snapshot datapool/ fs1 @12 jan2014 - Create a snapshot named 12jan2014 of the fs1 filesystem
# zfs list -t snapshot - List snapshots
# zfs rollback -r datapool/ fs1 @10 jan2014 - Roll back to 10jan2014 - (recursively destroy intermediate snapshots)
# zfs rollback -rf datapool/ fs1 @10 jan2014 - Roll back must and force unmount and remount
# zfs destroy datapool/ fs1 @10 jan2014 - Destroy snapshot created earlier
# zfs send datapool/ fs1 @oc t2013 > /geekpool /fs1/oct2013.bak - Take a backup of ZFS snapshot locally
# zfs receive anotherpool/fs1 < /geekpool /fs1/oct2 013.bak - Restore from the snapshot backup backup taken
# zfs send datapool/ fs1 @oct2013 | zfs receive anotherpool/fs1 - Combine the send and receive operation
# zfs send datapool/ fs1 @oct2013 | ssh node02 "zfs receive testpool/ testfs " - Send the snapshot to a remote system node02

The Dovecot configuration is updated to block non-encrypted connections to the POP and IMAP services.

This change protects the clients from accidentally misconfiguring email applications to not use encrypted connections. The connections from localhost (not going over the network) are still allowed to not use encryption.

Backwards compatibility with insecure mode can be managed with a drop-in Dovecot configuration file. Examples:

# Allow plain-text POP/IMAP connections for Dovecot 2.4:
echo 'auth_allow_cleartext = yes' > /etc/dovecot/conf.d/insecure-auth.conf
systemctl restart dovecot

# Allow plain-text POP/IMAP connections for Dovecot 2.3:
echo 'disable_plaintext_auth = no' > /etc/dovecot/conf.d/insecure-auth.conf
systemctl restart dovecot

# Restore original configuration (secure):
rm -f /etc/dovecot/conf.d/insecure-auth.conf
systemctl restart dovecot

plesk icin yazilmis ama olsun

Determine the source IP addresses and numbers of the connections:

ss -tan state established | grep ":80\|:443" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | sort -nr

Find the domains which are currently under attack:

for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n "$log "; tail -n10000 "$log" | grep -c 203.0.113.2; done | sort -n -k2

Check the number of connections in SYN_RECV state (possible syn-flood):

ss -tan state syn-recv | wc -l

If there are several IP addresses in Plesk, determine the target IP address under attack:

netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1

It is possible that there are not many established connections to the web server, however, there might be a lot of requests that were successfully served by nginx and transferred to Apache and at this point, Apache is under attack. To track these requests do the following:

Navigate to /var/www/vhosts/system:

cd /var/www/vhosts/system

Generate a file requests to fetch the number of requests that were made in the last hour using the command below.

Note: As an example, 24/Jan/2022:20 will be used. Here ":20" is 8 p.m.

for i in *;do echo -n "$i "; grep '24/Jan/2022:20' $i/logs/access_ssl_log | awk '{print $1}' | wc -l;done > ~/requests

Check the generated file:

cat ~/requests | sort -k 2 -r -n | head
example.com 24549
example.net 18545
test.com 3

‼️ Block SMTP authentication on port 25 and plain-text connections improved

The Exim configuration is updated to not allow users to perform SMTP authentication on TCP port 25. This means email clients will not be able to use port 25 for sending emails. TCP port 25 will be exclusively used for communication between mail servers, and clients will have to use 587 or 465 ports.

The motivation for this change is to completely separate the mail server-to-server (MTA-to-MTA) communications from client-to-server (MUA-to-MTA) communications. This makes it easier to harden the email submission security. For example:

• TCP ports 587 and 465 could use custom firewall rules to only allow sending emails from trusted networks.
• It is no longer possible to brute-force the email credentials over the TCP port 25.

In addition to blocking SMTP authentication on port TCP 25, Exim will no longer allow SMTP authentication over plain-text connections. This change protects the clients from accidentally misconfiguring email applications to not use encrypted connections. Use of encryption is critical because SMTP authentication uses literal user passwords without any hashing. Accessing SMTP over plaintext at least once is enough for the user credentials to be stolen. There is an exception made to allow not using encryption for internal connections over localhost.

This is a big change that might affect servers and clients that relied on authentication always being available. This feature is implemented in a way to allow server administrators to restore the old behaviour in a simple way.

The authentication availability on SMTP ports is controlled by the AUTH_ENABLE_CONDITION macro in the /etc/exim.variables.conf file. The new default policy is:

AUTH_ENABLE_CONDITION = ${if and { {!eq{$interface_port}{25}} { or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} } } }}

The policy can be changed by setting it to a different value in the /etc/exim.variables.conf.custom file and rebuilding the Exim configuration with the da build exim_conf command.

Examples:

# Use old (insecure) SMTP authentication policy, authentication always available
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = yes' >> /etc/exim.variables.conf.custom
da build exim_conf

# Block SMTP authentication on plain-text connections, but allow it to work on all TCP ports
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = ${if or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} }}' >> /etc/exim.variables.conf.custom
da build exim_conf

# Block SMTP authentication on TCP port 25, but allow it on plain-text connections on on other ports
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = ${if !eq{$interface_port}{25}}' >> /etc/exim.variables.conf.custom
da build exim_conf

# Use the new (secure) DirectAdmin SMTP authentication policy
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
da build exim_conf

Note: It is highly recommended to use the new default SMTP authentication policy. The mechanism to revert to the old policy should only be used temporarily until all the clients are reconfigured to use SMTP submission ports (587 or 465) and encryption.

#