Show Categories
Categories
How to Reduce Abuse Complaints When Running a Proxy or VPN Service
Running a VPN or proxy service on a server can have several risks. As the owner of the IP, your users are responsible for any abuse or illegal activity conducted through your service. To protect yourself from this issue, you need to take proactive measures to protect your reputation.
Strict Mode: Whitelisting
One way to make sure your server is not being abused is to only allow certain activities. This approach which is called whitelisting, doesn’t fully prevent abuse; your users can still attack other people and result in your server’s suspension. However, it can make the abuse process a lot harder, and it’s very likely to drive away abusers from your services (and, unfortunately, some legitimate users as well).
What we’re proposing here is to drop all incoming and outgoing packets from your server except the ones that are absolutely needed. Here’s how you can do this.
The only thing you need to consider before following the guide is that you shouldn’t have any other firewalls enabled on your server. Although this guide covers the process on Ubuntu, you don’t need to have it as your OS. The logic of the process is the same for other OSs as well.
1. Installing UFW
First, you need to install UFW.
2. Blocking all incoming and outgoing connections
Make sure you disable UFW because the following commands may interrupt your connection to your server:
the commands below will basically drop every packet that tries to enter or exit your server. later, we’ll only allow the connections that our users need:
3. Allowing yourself to connect to your server
Now we’ll allow incoming connections to port 22, which is the port used for establishing SSH connections. Although it’s always a good idea to change your SSH port to something else:
While outgoing connections are already blocked, we’ll specifically block all outgoing packets that have port 22 as their destination (in case you change the default policy in the future). This will make both you and your users unable to connect to other servers using SSH on port 22. While it sounds troublesome, it’ll actually resolve one of the most common complaints that result in your server’s suspension. By using this command, no user will be able to perform SSH brute force attacks from your server:
After allowing incoming connections to port 22, you can enable your firewall without being disconnected from your server:
If by any chance you’re disconnected from your server, you could use VNC to gain access to your server again and disable your firewall.
4. Allowing your users to connect to your server to get proxy/VPN services
Clearly, your users need to connect to and use your server’s proxy services. Dropping all incoming connections makes this impossible for them. So, we need to allow the proxy/VPN ports used by the users for example, let’s say we want to allow users to connect to port 1194, which is usually used for OpenVPN. To do so, type the following command:
Or, if you’re running OpenVPN over UDP:
The logic is the same for other VPN and proxy servers as well, just find out which port your users need to connect to and allow incoming connections to it.
Now, your users can connect to your server and to the VPN, but they won’t be able to make any connections to the outside world. This is the exact purpose of whitelisting: users won’t be able to connect to any ports unless we allow them to. Doing this minimizes the chance of getting abuse reports.
5. Allowing your users to visit websites and use applications
Now we will allow outgoing traffic to ports that are used to browse the web, and make API calls on web servers. To do so, you should allow the TCP port 80 and the TCP port 443. Allowing UDP port 443 as well will enable your users to make HTTP3 connections:
6. Allowing different services on a need basis
Usually, opening ports 80 and 443 is enough, but to get the full functionality of certain applications or software, you may need to allow your users to use other ports as well.
You are generally advised to do your own research and only allow ports if they’re absolutely required. Each major application has a networking documentation with information for network administrators like you. In these documents, you can find the ports that the applications use and whitelist them as well. We’ll list a few popular ones as examples.
WhatsApp (No video or voice call):
Git:
Some services like Discord, Zoom, or WhatsApp voice and video calls require a wide range of UDP ports, you may open these at your own discretion.
Lenient Mode: Blacklisting
In whitelisting, you block everything and allow specific ports. In blacklisting, you allow everything and block specific ports.
1. Installing UFW
First, you need to install UFW
2. Blocking the incoming connections
Make sure you disable UFW because the following commands may interrupt your connection to your server:
It makes sense to block all incoming connections unless we serve specific services. So let’s reject all incoming traffic:
Note that this time you’re not blocking all outgoing connections. This allows your users to connect to any port they’d like. This is not advisable unless you absolutely trust your users.
3. Allowing yourself to connect to your server
Now we will allow incoming connections to port 22, which is the port used for establishing SSH connections to your server. Although it is always a good idea to change your SSH port to something else:
If you want to Block SSH port to avoid SSH brute force abuse reports, you can use the following command:
4. Block BitTorrent
Using the same logic, you need to block ports that are used for BitTorrent. However, since there are multiple ports for this, you need to do your research and block public tracker IPs as well as the ports that are normally used for BitTorrent.
If you have any questions, don’t hesitate to contact us by submitting a ticket.
Operating Systems
Locations
Resources
