How to Protect a Server: 6 Practical Methods

A DDoS attack (Distributed Denial of Service) aims to overwhelm a network with excessive traffic, reducing its performance or causing a complete outage. This is reflected in the term "denial-of-service" (refusal of service). The frequency and intensity of DDoS attacks have been rising rapidly. A report by Cloudflare noted that in 2021, the number of attacks grew by one-third compared to 2020, with a peak in activity observed in December. The duration of a DDoS attack can vary. According to research by Securelist: 94.95% of attacks end within four hours. 3.27% last between 5 to 9 hours. 1.05% persist for 10 to 19 hours. Only 0.73% of all attacks extend beyond 20 hours. Effective Tools for Protecting a Server from DDoS Attacks If you don't want to rely on vendors' solutions, paid services, or proprietary software, you can use the following tools to defend against DDoS attacks: IPTables. A powerful firewall tool available in Linux systems that allows precise control over incoming and outgoing traffic. CSF (ConfigServer Security and Firewall). A robust security tool that simplifies managing firewall rules and provides additional protection mechanisms. Nginx Modules. Modules specifically designed for mitigating DDoS attacks, such as limiting the number of requests per IP or delaying excessive requests. Software Filters. Tools or scripts that analyze and filter traffic to block malicious or excessive requests, helping to maintain service availability. IPTables. Blocking Bots by IP Address The IPTables tool helps protect a server from basic DDoS attacks. Its primary function is to filter incoming traffic through special tables. The resource owner can add custom tables. Each table contains a set of rules that govern the tool's behavior in specific situations. By default, there are only two response options: ACCEPT (allow access) and REJECT (block access). In IPTables, it is possible to limit the number of connections.  If a single IP address exceeds the allowed number of connections, the tool will block access for that IP. You can extend the tool's functionality with additional criteria: Limit: Sets a limit on the number of packet connections within a chosen time period. Hashlimit: Works similarly to Limit, but applies to groups of hosts, subnets, and ports. Mark: Used to mark packets, limit traffic, and filter. Connlimit: Limits the number of simultaneous connections for a single IP address or subnet. IPRange: Defines a range of IP addresses that are not considered as a subnet by the tool. Additionally, IPTables can use criteria such as Owner, State, TOS, TTL, and Unclean Match to set personalized configurations, effectively protecting the resource from DDoS attacks. The ipset kernel module allows you to create a list of addresses that exceed the specified connection limit. The ipset timeout parameter sets a time limit for the created list, which is enough to ride out a DDoS attack. By default, IPTables settings return to their basic configuration after a system reboot. To save the settings, you can use additional utilities (such as iptables-save or iptables-persistent), but it is recommended to start with the default options to avoid saving incorrect settings that could block server access for everyone. ConfigServer Security and Firewall While IPTables is a convenient and effective tool, it can be quite complex to configure. You’ll need to learn how to manage it and write additional scripts, and if something goes wrong, your resource may end up being a "closed club" for just a few users. CSF (ConfigServer Security and Firewall) is a "turnkey" configurator, meaning you only need to set the correct parameters and not worry about the server's security. Installing the Server Firewall The preliminary installation steps involve downloading two additional components required to run CSF: the Perl interpreter and the libwww library. The next step is to install ConfigServer Security and Firewall itself. Since the tool is not available in the official repository, you'll need to download it directly from the provided link or by fetching the ready-made archive: cd /usr/srcwget https://download.configserver.com/csf.tgz After downloading, extract the archive and move it to the defender’s files folder. Then, run the installation process. Once installed successfully, you can proceed with configuring CSF. Configuring the Server Firewall By default, the settings in ConfigServer and Firewall are active for 5 minutes, after which any changes are reset. This test format is useful for conducting experiments and understanding errors in the applied configuration. To switch to live mode, change the Testing value to 0. Proper configuration of CSF ensures reliable protection against DDoS attacks. Here are some essential commands in CSF: Specify incoming ports: TCP_IN = "22,23,25,36,75,87" Specify outgoing ports: TCP_OUT = "22,23,25,36,75,87" Configure email notifications for SSH connections: LF_SSH_EMAIL_ALERT = "1" Add an IP address to the exception list (useful for server management teams): csf -a 192.168.0.7 Block a specific IP address from connecting to the server: csf -d 192.168.0.6 Nginx Modules How can you protect your server from DDoS attacks using simpler methods? Use Nginx modules like limit_conn and limit_req. The limit_conn module limits the maximum number of connections to the server, while the limit_req module limits the number of requests within a specified time frame. For example, if you want to limit the number of simultaneous connections to 30 and restrict the number of connections within a 3-second window, the configuration will look as follows: limit_conn_zone $binary_remote_addr zone=perip: 30m;limit_req_zone $binary_remote_addr zone=dynamic:30m rate=3r/s; This configuration allows only 3 requests per second. Any additional requests are queued. The burst parameter controls the queue size. For example, if the burst value is set to 7, the module will queue up to 7 requests when the request count exceeds 10, while any further requests will be rejected with an error. Software Filter Server protection against DDoS attacks can also be achieved using web applications. A traffic filter uses JavaScript, which is inaccessible to bots, effectively redirecting DDoS attacks to a placeholder page. The operation of the filter is simple. The configuration defines conditions for blocking bots, and when a visitor meets those conditions, they are redirected to a placeholder page instead of the requested page. The filter can also specify the reason for the redirection.

This article explores the features and benefits of load testing a web server, discussing why it is important and how to perform it correctly. What Is Load Testing? Load testing is the process of evaluating the performance and reliability of a web server using specialized tools designed to simulate real-world server loads. These tools emulate the activity of a specified number of users and document the resulting load on the server. The collected data is then analyzed to assess the performance of hardware resources, communication channels, and server software. Why Use Load Tests: Objectives of Testing Most websites and applications are created to generate revenue, or profitability is set as one of the project goals. The performance of the server—its ability to handle the planned number of simultaneous users—is a key success factor. If a server cannot handle a surge in visitors, it results in decreased traffic, negatively impacting the website's behavioral metrics. As a result, the site's ranking in search engine results drops, reducing organic traffic and leading to a decline in sales and advertising revenue. Such failures can be equally disastrous for web applications used by thousands of people. The primary goal of load testing is to evaluate server capacity under extreme conditions, pushing it to its operational limits. This helps determine whether additional resources are needed or if existing ones are sufficient for stable operation. The outcome includes mitigating the risk of site or application downtime and achieving significant cost savings in the long run. Step-by-Step Guide to Load Testing a Server Let’s break down the entire process into sequential steps: Preparation for Testing. Before conducting load testing, start with functional testing to ensure the chosen tools and configurations are correct. Define Objectives. Typical objectives include identifying the server’s performance limits and detecting system bottlenecks. Specify Requirements. Clearly define the requirements, such as: 90% of users must be served within a maximum of 10 seconds each. Develop Scenarios. Create scenarios based on typical user behavior on the website, application, or service. Choose Tools. Select software that best aligns with the testing goals. Configure Tools. Set the load levels and write scripts to simulate user behavior. Execute Testing. Gradually increase the load while documenting critical thresholds. Analyze Results. Process the collected data, draw conclusions, and prepare recommendations for improving system performance. Objectives and Requirements The type and scale of the load, as well as the metrics to monitor, depend on the specific objectives. Common tasks include: Determining the server’s performance limits. Checking configuration reliability. Monitoring backups. Identifying problematic areas in the system. Regarding requirements, they often define user service times as percentages. It’s important to avoid aiming for 100% of users to be served within a strict timeframe, as a buffer (typically around 10%) is necessary. This allows the system to handle unexpected events without failures. User Scenarios User scenarios depend on how users interact with the site. For example, a typical scenario for an online store might include: Logging in. Searching for and selecting a product. Viewing the product details. Adding the product to the cart. Proceeding to the cart. Initiating the checkout process. Filling in form fields. Confirming and paying for the purchase. The exact flow depends on the functionality of the site or application. After modeling one or more typical scenarios, identify the most resource-intensive pages and select tools to simulate the load on these critical points. Tools for Load Testing If the objectives allow, it is reasonable to use free and open-source tools for testing. One of the most popular options is Apache JMeter, a highly configurable cross-platform software that supports all web protocols. JMeter makes it easy to develop scripts that simulate user actions on a website or application. Once the scripts are created, we can set the load levels and proceed with the testing process.  However, JMeter is not the only tool for load testing. Other options include WAPT, NeoLoad, Siege, Gobench, WRK, Curl-loader, Tsung, and many more. Each of these tools has unique features. Before choosing one, review their descriptions, study available information, and consider user reviews and forums. Load Testing After defining typical scenarios and selecting appropriate tools, the testing process begins. Most scenarios involve gradually increasing the load. The number of concurrent threads or users increases until response times rise. This marks the first critical threshold, often referred to as the degradation point. The second threshold, known as the sub-critical point, occurs when response times exceed acceptable limits. The system can still process requests at this stage, but response times hit the SLA (Service Level Agreement) threshold. Beyond this point, delays accumulate rapidly, causing the system to reach the critical point. The critical point, or failure point, occurs when the server's resources are exhausted—either CPU power or memory runs out. At this stage, the server crashes, signaling the end of testing and the start of data analysis. Analysis of Load Testing Results Testers analyze the collected data to identify bottlenecks. Sometimes, you can resolve the issues by adjusting configurations or refining the code. In other cases, a specific service within the project may cause delays, requiring targeted optimization. This might involve configuration adjustments or scaling the service. For high user volumes, the most common issue is hardware overload. Typically, addressing this requires upgrading the infrastructure—for example, adding RAM or switching to a more powerful processor. Conclusion Load testing a server is an essential procedure for anyone looking to avoid failures in a growing website, service, or application. Practical experience shows that proper configuration adjustments or code optimization can significantly enhance server performance. However, to achieve these improvements, it’s critical to identify system bottlenecks, which is precisely the purpose of load testing.

Proxmox Backup Server is a Debian-based solution that makes backup simple. With it, you can back up virtual machines, containers, and the contents of physical hosts. PBS is installed on bare metal. All the necessary tools are bundled in a single distribution. Proxmox Backup Server is optimized for the Proxmox Virtual Environment platform. With this combination, you can: Safely back up and replicate data. Manage backups through both a graphical interface and command line. Proxmox Backup Server is free software. Key Features Data loss or corruption due to deletion, ransomware, or other dangers can occur at any time. Therefore, regular backups of critical data are essential. To improve performance and achieve objectives, create backups of data using Proxmox Debian. These backups will take up minimal space, allow for instant recovery, and efficiently reduce working time through simplified management. User Role and Group Permissions Proxmox Backup protects data from unauthorized access. A range of access control options ensures that users are limited to only the level of access they need. For example, marketers don’t need access to accounting reports, and accountants don’t need to see backups of the main product code. For convenience, you can use several authentication domains: OpenID Connect, Linux PAM, or a separate authentication server. The administrator precisely defines what each user is allowed to do and what is prohibited. Easy Management PBS comes with a graphical interface through which the administrator manages the server. For advanced users who are familiar with the Unix shell, Proxmox provides a command-line interface for performing specialized or highly complex tasks. Additionally, Proxmox Backup Server uses a RESTful API. The main data format is JSON. The entire API is formally defined using its schema. This ensures fast and easy integration with third-party management tools. Reliable Encryption It’s not just important to have access to backups, but also to be confident that the information has not been compromised. To provide that confidence, PBS securely encrypts Linux backups. This guarantees security even on less-trusted hosts — for example, on rented servers. No one except the owner can decrypt and read the stored information. Granular Recovery Why restore all data when you can restore only what’s needed? To reduce overhead, Proxmox Backup Server comes with a snapshot catalog for navigation. You can quickly explore the contents of an archive and instantly recover individual objects. System Requirements CPU: A 64-bit processor based on AMD or Intel with at least 4 cores. Memory: At least 4 GB for the system, file system cache, and daemons. It is recommended to add at least 1 GB of memory for each terabyte of disk space. Storage: Requires at least 32 GB of free space. The documentation suggests using hardware RAID. It is recommended to use solid-state drives (SSDs) for backup storage. Server Installation To store backups, you need a server. You will install Proxmox Backup Server on it. You can manage this setup through either a graphical interface or the command line, depending on what suits you best. The easiest way to install the backup system on the server is by using a disk image (ISO file). This distribution includes all the necessary components for full functionality: Installation wizard Operating system with all dependencies Proxmox Linux kernel with ZFS support Tools to manage backups and other resources Management interface Installation from the disk is very simple. If you have ever installed an operating system, you will have no trouble. The installation wizard will help partition the disk and configure basic settings like time zone, language, and network for internet access. During the installation process, you will add all the necessary packages that convert a regular Debian system into one for managing backups. PBS uses the entire server. During installation, all other data will be deleted. You will create a server dedicated to one task — managing backups. Setting up a separate server also involves a security consideration. In this case, you will have access to backups even if other parts of the distributed system stop working. Installation on Debian Suppose you already have a server with Debian installed. In this case, installing Proxmox can be done through a different scenario. There’s no need to reinstall the OS—just add the missing packages. They will integrate seamlessly on top of the standard setup. To perform the Proxmox download, enter the following commands in the Debian command line: apt-get update apt-get install proxmox-backup-server This will install the packages in a minimal configuration. If you want to get the same set as when using the installer, run: apt-get update apt-get install proxmox-backup This will install the packages in the full configuration, including the ZFS-supporting kernel and a set of useful tools. Essentially, this is the same as using the disk image. After installation, you can immediately connect to the Proxmox Web Interface through a browser, using HTTPS on Proxmox port 8007. For example, at https://<ip-or-dns-name>:8007. You can also separately install the Proxmox Backup Client. To do so, you need to configure the client repository based on APT and run these commands: apt-get update apt-get install proxmox-backup-client These are the standard installation recommendations. If you need to set up a custom configuration, such as with Proxmox DHCP, refer to the documentation for further guidance. Adding a Server to Proxmox VE Before backing up the server, you need to perform a preliminary configuration. Create a User In Proxmox, configuration is done through an easy-to-use interface. Let’s create the first user: Open the Configuration tab — Access Control. Click Add. Add a new user. For example, you can add a user user1@pbs. The "pbs" part is mandatory; if it’s omitted, an error message about incorrect credentials will appear. Create a Storage The next step is to create repositories. These allow you to distribute data according to your criteria. For example, you can create incremental backups for PostgreSQL, store data saved by Proxmox Ubuntu separately, and more. To do this, use the Proxmox Add Disk procedure. Go to Administration — Storage / Disks. Select a disk and initialize it by clicking Initialize Disk with GPT. Go to Directory — Create: Directory and create a directory for storing data. Specify the name of the data storage and the absolute path to the directory. If you check Add as Datastore, the new data storage will be immediately connected as a datastore object. Proxmox Storage configuration is now complete, and you just need to assign access rights to the repository. To do this: Click on the name of the created data storage, go to Permissions, and click Add — User Permission. Select the desired user and their role, then click Add to confirm. At this point, the preliminary setup is complete. Save the Fingerprint By default, PBS uses a self-signed SSL certificate. You must save the fingerprint to establish trusted connections between the client and the server in the future. Without it, you won’t be able to connect — this is one of the security mechanisms. Go to Administration — Shell and capture the server's "fingerprint" with the command: proxmox-backup-manager cert info | grep Fingerprint This will return a string containing the unique fingerprint. You can later use it to establish a connection with the backup server. Add a Server You can add storage directly from the Proxmox VE web interface (Datacenter — Storage — Add) or manually via the console. Let’s explore the second option, as it provides more flexibility in configuration. You need to define the new storage with the pbs type on your Proxmox VE node. In the following example, store2 is used as the storage name, and the server address is localhost. You are connecting as user1@pbs. Add the storage: pvesm add pbs store2 --server localhost --datastore store2 Set the username and password for access: pvesm set store2 --username user1@pbs --password <secret> If you don’t want to enter the password as plain text, you can pass the --password parameter without any arguments. This will prompt the program to ask for the password when you enter the command. If your backup server uses a self-signed certificate, you need to add the certificate's fingerprint to the configuration. You already obtained the fingerprint earlier with the following command: proxmox-backup-manager cert info | grep Fingerprint To establish a trusted relationship with the Backup Server Linux, add the fingerprint to the configuration: pvesm set store2 --fingerprint 64:d3:ff:3a:50:38:53:5a:9b:f7:50:...:ab:fe After --fingerprint, paste the fingerprint you obtained. Check the status of the storage with: pvesm status --storage store2 Through the web interface, you will see the storage listed among the virtual machines and container backups available for data storage, along with usage statistics. It’s now time to create your first backup. Backup and Recovery Suppose you have an LXC container running Ubuntu inside. To back it up: Open the Backup section. Select the desired Storage. Click Backup now. Choose the type of backup. If you access the PBS server, you can view the information about the completed backup task. To verify the backup’s functionality, delete the Ubuntu container and then perform a recovery. In the PVE web interface, go to Storage. Open the Content tab. Select the backup file. For recovery, choose the location and a new identifier (by default, it will be the same as when we created the backup), and set the read data limit. This will help avoid overloading the virtualization server’s input channel. Click Restore and start the container. Thanks to the fast backup creation and recovery process in Proxmox, you can also easily migrate a virtual machine. Backing up a virtual machine is no different from backing up a container. The recovery process is the same. You specify the desired backup and the location for deployment and decide whether to start the machine immediately after the procedure is completed. If you need not the entire backup but only individual files, you can recover them through the PBS web interface. Conclusion By setting up backups with Proxmox, you can be confident that virtual machines or containers won’t be lost in case of a storage failure. You can easily restore them with minimal effort. All that is required is to mount a new host, add the data storage, and start the recovery process.