How to Add Firewall Service to Vultr Instance

Vultr announced firewall service and it’s time to stop system built-in firewall. I will walk you through how to add firewall service to your vultr instances step by step in this tutorial.

Before the details, I am showing you the steps. First, add a firewall group. Second, add firewall rules to the firewall group. Third, link instances to this firewall group.

Add a firewall group

Navigate to Servers–>Firewall, click Add Firewall Group, then fill in the blank by entering a firewall description.

Add vultr firewall group

Add firewall description

Add rules

Vultr firewall service supports ICMP, TCP, UDP and GRE protocols. ICMP protocol is used for ping service, if you allow others to ping your vultr instances, please add a rule to accept ICMP packets. TCP and UDP protocols are two commonly used protocols. Here is a list of protocols and ports that you may want to accept packets from:

  • HTTP: TCP 80
  • HTTPS: TCP 443
  • SSH: TCP 22
  • FTP: TCP 21 20
  • MySQL: TCP 3306

You can filter the packets by source, 0.0.0.0/0 accetps packets from anywhere. If you want to allow SSH connection from a specific IP and reject other sources, you choose Custom and fill in the blank next to source by entering an IP address and sub-net mask. For example, if you accept SSH access from 11.22.33.44, then fill the blank with 11.22.33.44/32.

There is a cross sign and trash bin on the right. Adding a rule by clicking cross sign, while removing a rule by clicking trash bin sign.

Add firewall rules

Link to instances

Congrats, you are almost done, only one step left. Choose the instance you want to link and click the cross sign on the right. Wait for less than 120 seconds, and the firewall has been actived for the instance.

If you want to unlink instances, by click the unlink sign on the right of each linked instances. It also takes less than 120 seconds to take effect.

unlink vultr instances

Performance Benchmark of Vultr $2.5 plan

Vultr announced $2.5 per month plan about a week ago, and I was wondering how the performance is for such a low price. Here is a basic performance test of this VPS hosting plan, including hardware basic information, I/O test, network speed test and unixbench test.

The performance test was run on the following environment:

  • CPU: 1 core
  • Memory: 512MB
  • Storage: 20GB of SSD
  • OS: CentOS 6.8
  • Data center: Silicon Valley

Before showing test results, I would like to declare that the results may variable in different data center regions or on different server node. Even in the same server node, it may affected by other users, especially bad-neighbors and the test results variable from time to time.

Basic test

I was using a shell script from bench.sh, this test will show you the basic information of the VPS environment, I/O results and network speed results. From the screenshot below, I found the network connection  is a 1Gbps port at least, which was not disclosed on pricing page.

basic information about the VPS

CPU and Memory information

From the above test, we only see a brief information about CPU and memory, we can use linux command to get the detailed information about CPU and memory.

Here is a screenshot of running the command cat /proc/cpuinfo.

cpu information

Here is a screenshot of running the command of cat /proc/meminfo.

memory information

Unixbench

Unixbench is a popular server benchmarking tool. The results will depend not only on hardware, but on operating system, libraries, and even compiler. We don’t need to understand the complex algorithm inside the program, we just need to know whether the index scores is more than 1000. If it is, the performance is not bad. Vultr’s final index scores is 1337, and the performance is not bad.

unixbench benchmark vultr

Conclusion

According to the above test results, Vultr’s $2.5 plan is worth buying. The test results is better than I expected. Several hours later, I deployed another $5 plan instance, and the benchmark results are more or less the same even though the price is doubled.

Traffic Monitor: vnStat

vnStat is a console-based network traffic monitor for Linux and BSD that keeps a log of network traffic for the selected interface(s). It uses the network interface statistics provided by the kernel as information source. This means that vnStat won’t actually be sniffing any traffic and also ensures light use of system resources.

Installation

It’s easy to install vnStat, just run the following command in your console (for CentOS), and that’s all you need to do.

yum -y install vnstat

Create vnStat database

Before create vnStat database, make sure which network interface you want to monitor, take eth0 for example.

vnstat -u -i eth0

It’s done, and vnStat is gathering traffic information for you, both received and transfered.

Command Manual

vnstat -h Show traffic statistics on a hourly basis for the last 24 hours.

vnstat -d Show traffic statistics on a daily basis for the last 30 days.

vnstat -m Show traffic statistics on a monthly basis for the last 12 months.

vnstat -l Display current transfer rate for the selected interface in real time until interrupted.

Statistics will be shown after interruption if the runtime was more than 10 seconds.

The commands above are commonly used, for detailed manual please take a look at official manual page.

Troubleshooting

If you were encountered a problem of “eth0: Not enough data available yet.”, please make sure vnStat is running. Here is the command of check the status:

/etc/init.d/vnstat status

If it wasn’t running, run the follwoing command and you will able to get traffic information in 5 minutes.

/etc/init.d/vnstat start

Vultr add Firewall to Feature List

I am very glad that Vultr added Firewall service to the feature list, this is the most wanted feature second to backup service, which has been announced. Compared to system built-in firewall, there are some advantages:

  1. Reduce resource usage of instance, because package filtering takes place at a higher level on the network.
  2. Vultr firewall is managed through the Vultr control panel, it’s much more straightforward than Linux built-in firewall service which is configured in command line interface.
  3. Vultr firewall group can be applied to multiple instances, really a time-saver.

Vultr firewall is flexible and easy to use. First, create a firewall group. Second, add desired rules to firewall group. Third, apply a firewall group to a server.

Before you apply firewall to instances, you should know the differences between Vultr Firewall and Vultr DDOS protection service. Vultr Firewall is designed to enhance the security while DDOS protection is designed to block large volumes of traffic based on proprietary detection algorithms. Vultr Firewall may a little helpful in certain circumstances, because it can be used to block certain IP protocols or source IPs by rules.

It’s time to stop system built-in firewall and enjoy the convenience of Vultr web-based firewall service.

Vultr Upgraded All Plans and Announced $2.5 Instance

Vultr just upgraded all plans and announced a $2.5 per month plan, which comes with 1 CPU core, 512MB of memory, 20GB of SSD storage and 500GB of data transfer. Will you agree with me that Vultr is fighting back Linode which upgraded their plans two weeks ago.

This is a price list of upgraded plans:

How to upgrade for existing customers?

Please navigate to settings–>change plan and select the right plan, please note that downgrade is not supported. Here is a screenshot of how to upgrade plan.

Enjoy Vultr.

Virtualization Type Detector: Virt-What

Virt-What is a shell script which can be used to detect what type of virtualization your virtual machine is using. Virt-what supports a very large number of different hypervisor types, such as Xen, KVM, openVZ, VMware and much more.

It’s pretty easy to run by typing virt-what into the terminal, here is a screenshot of the output result on a Vultr instance.

If nothing is printed and the script exits with code 0 (no error), then it can mean either that the program is running on bare-metal or the program is running inside a type of virtual machine which we don’t know about or cannot detect.

Virt-what is already packaged in common Linux distributions, you can also compile if from source.

wget https://people.redhat.com/~rjones/virt-what/files/virt-what-1.15.tar.gz
tar -zxvf virt-what-1.15.tar.gz
cd virt-what-1.15
./configure
make&&makeinstall

Virt-what is a small but useful tool, it could help you detecting what type of virtualization is if it was not detailed.

Cloudflare Parse Bug Caused Information Leaked

Cloudflare published a blog post of incident happened recently. If you are using, or used to be Cloudflare’s clients, you should pay attention to official announcements and change your administrator passwords and customer passwords if necessary. This bug was founded by Tavis Ormandy who is from Google Project Zero.

According to official blog, in some unusual circumstances, Cloudflare’s edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And the most important is some of that data had been cached by search engines. Before the announcement, Cloudflare team has worked out with search engines to scrub the caches.

Cloudflare has not provided an official list of affected domains, here is an unofficial list of domains may have been affected. As i said, it is unofficial, and not all the domains in the list have been compromised, otherwise, the domains have been compromised may not in the list.

Let’s focus on the incident and stay tuned to official solution of solving this incident.