Show Categories

How to Reduce Abuse Complaints When Running a Proxy or VPN Service

Running a VPN or proxy service on a server can have several risks. As the owner of the IP, your users are responsible for any abuse or illegal activity conducted through your service. To protect yourself from this issue, you need to take proactive measures to protect your reputation.

Strict Mode: Whitelisting

One way to make sure your server is not being abused is to only allow certain activities. This approach which is called whitelisting, doesn’t fully prevent abuse; your users can still attack other people and result in your server’s suspension. However, it can make the abuse process a lot harder, and it’s very likely to drive away abusers from your services (and, unfortunately, some legitimate users as well).

What we’re proposing here is to drop all incoming and outgoing packets from your server except the ones that are absolutely needed. Here’s how you can do this.

The only thing you need to consider before following the guide is that you shouldn’t have any other firewalls enabled on your server. Although this guide covers the process on Ubuntu, you don’t need to have it as your OS. The logic of the process is the same for other OSs as well.

1. Installing UFW

First, you need to install UFW.

sudo apt install ufw

2. Blocking all incoming and outgoing connections

Make sure you disable UFW because the following commands may interrupt your connection to your server:

sudo ufw disable

the commands below will basically drop every packet that tries to enter or exit your server. later, we’ll only allow the connections that our users need:

sudo ufw default deny incoming sudo ufw default deny outgoing

3. Allowing yourself to connect to your server

Now we’ll allow incoming connections to port 22, which is the port used for establishing SSH connections. Although it’s always a good idea to change your SSH port to something else:

sudo ufw allow in 22/tcp comment “Allows me to SSH to my server”

While outgoing connections are already blocked, we’ll specifically block all outgoing packets that have port 22 as their destination (in case you change the default policy in the future). This will make both you and your users unable to connect to other servers using SSH on port 22. While it sounds troublesome, it’ll actually resolve one of the most common complaints that result in your server’s suspension. By using this command, no user will be able to perform SSH brute force attacks from your server:

sudo ufw deny out 22/tcp comment “Stops SSH brute force”

After allowing incoming connections to port 22, you can enable your firewall without being disconnected from your server:

sudo ufw enable

If by any chance you’re disconnected from your server, you could use VNC to gain access to your server again and disable your firewall.

4. Allowing your users to connect to your server to get proxy/VPN services

Clearly, your users need to connect to and use your server’s proxy services. Dropping all incoming connections makes this impossible for them. So, we need to allow the proxy/VPN ports used by the users for example, let’s say we want to allow users to connect to port 1194, which is usually used for OpenVPN. To do so, type the following command:

sudo ufw allow in 1194/tcp comment “OpenVPN port for users”

Or, if you’re running OpenVPN over UDP:

sudo ufw allow in 1194/udp comment “OpenVPN port for users”

The logic is the same for other VPN and proxy servers as well, just find out which port your users need to connect to and allow incoming connections to it.

Now, your users can connect to your server and to the VPN, but they won’t be able to make any connections to the outside world. This is the exact purpose of whitelisting: users won’t be able to connect to any ports unless we allow them to. Doing this minimizes the chance of getting abuse reports.

5. Allowing your users to visit websites and use applications

Now we will allow outgoing traffic to ports that are used to browse the web, and make API calls on web servers. To do so, you should allow the TCP port 80 and the TCP port 443. Allowing UDP port 443 as well will enable your users to make HTTP3 connections:

sudo ufw allow out 80/tcp comment “HTTP connections” sudo ufw allow out 443 comment “HTTPS and HTTP3 connections”

6. Allowing different services on a need basis

Usually, opening ports 80 and 443 is enough, but to get the full functionality of certain applications or software, you may need to allow your users to use other ports as well.

You are generally advised to do your own research and only allow ports if they’re absolutely required. Each major application has a networking documentation with information for network administrators like you. In these documents, you can find the ports that the applications use and whitelist them as well. We’ll list a few popular ones as examples.

WhatsApp (No video or voice call):

sudo ufw allow out 443/tcp comment “WhatsApp” sudo ufw allow out 5222/tcp comment “WhatsApp”

Git:

sudo ufw allow out 9418/tcp comment “Git”

Some services like Discord, Zoom, or WhatsApp voice and video calls require a wide range of UDP ports, you may open these at your own discretion.

Lenient Mode: Blacklisting

In whitelisting, you block everything and allow specific ports. In blacklisting, you allow everything and block specific ports.

1. Installing UFW

First, you need to install UFW

sudo apt install ufw

2. Blocking the incoming connections

Make sure you disable UFW because the following commands may interrupt your connection to your server:

sudo ufw disable

It makes sense to block all incoming connections unless we serve specific services. So let’s reject all incoming traffic:

sudo ufw default deny incoming

Note that this time you’re not blocking all outgoing connections. This allows your users to connect to any port they’d like. This is not advisable unless you absolutely trust your users.

3. Allowing yourself to connect to your server

Now we will allow incoming connections to port 22, which is the port used for establishing SSH connections to your server. Although it is always a good idea to change your SSH port to something else:

sudo ufw allow in 22/tcp comment “Allows me to SSH to my server”

If you want to Block SSH port to avoid SSH brute force abuse reports, you can use the following command:

sudo ufw allow out 22/tcp comment “Block Outgoing SSH ”

4. Block BitTorrent

Using the same logic, you need to block ports that are used for BitTorrent. However, since there are multiple ports for this, you need to do your research and block public tracker IPs as well as the ports that are normally used for BitTorrent.

If you have any questions, don’t hesitate to contact us by submitting a ticket.

cloudzy
© 2008-2024 Cloudzy. All rights reserved.
75 Reviews|4.9 Average