# Пример выполнения mount / umount из под пользователя nginx

$ cat > /etc/sudoers.d/nginx << EOF
Defaults:nginx !requiretty
Cmnd_Alias MOUNT = /bin/mount, /bin/umount
nginx ALL=(root) NOPASSWD: MOUNT
EOF



# Актуальный пример для Zabbix, чтобы не было ошибок вида:
# sudo: sorry, you must have a tty to run sudo

$ cat > /etc/sudoers.d/zabbix << EOF
Defaults:%zabbix !requiretty
Defaults visiblepw
%zabbix ALL=(ALL) NOPASSWD: /usr/bin/nmap
EOF

Since it's only Layer 7; just install something such as DDOS Deflate or null route the IP Range.

To null route the IP:

route add -host 222.186.129.X reject
ip route get 222.186.129.x
Output

RTNETLINK answers: Network is unreachable
To null route the whole subnet:

route add -net 222.186.0/24 gw 127.0.0.1 lo
Or to install DDOS Deflate:

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
(Uninstall) ->

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos
If the attack is still to big to handle I recommend contacting your ISP; however another option is to get a reverse proxy which has DDOS Protection from Layer 7 attacks such as http://x4b.net (Quite cheap soloution)

for RedHat based:

SysV:
$ yum install http://www.atoptool.nl/download/atop-2.2-3.sysv.x86_64.rpm

systemd:
$ yum install http://www.atoptool.nl/download/atop-2.2-3.systemd.x86_64.rpm

$ sed 's/600/300/' /etc/sysconfig/atop -i


for Debian based:

$ sudo sed 's/600/300/' /etc/default/atop -i

http://www.tecmint.com/how-to-install-atop-to-monitor-logging-activity-of-linux-system-processes/



Посмотреть логи atop:
$ atop -r -b 05:05 -l 1

1. Удаляем платный репозиторий
$ rm /etc/apt/sources.list.d/pve-enterprise.list

2. Добавляем community репозиторий
$ cat >> /etc/apt/sources.list.d/proxmox.list << EOF
deb http://download.proxmox.com/debian jessie pve-no-subscription pvetest
deb http://download.ceph.com/debian-hammer jessie main
EOF

$ apt-get update
$ apt-get upgrade

3. В /etc/default/locale добавить настройки локали:
cat > /etc/default/locale << EOF
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8
EOF

4. Если нет подписки на платный репозиторий избавляемся от сообщения о необходимости ее приобрести при каждом входе в интерфейс управления.
/usr/share/pve-manager/ext4/pvemanagerlib.js

   454    : меняем строку на
-- if (data.status !== 'Active') {
++ // if (data.status !== 'Active') {
++ if (false) {

$ sed -i "s|if \(data.status \!== 'Active'\)|if (false)|g" /usr/share/pve-manager/ext4/pvemanagerlib.js

5. При создании VM используем:
Harddisk: virtio
Cache: writethrough / writeback
Network: virtio (paravirtualized)
Options, use tablet for pointers: No (you don't have to use mouse to manage it, if disabled reduces interrupts)


Настройка NAT + DHCP + проброс портов:


$ cat > /etc/network/interfaces << EOF
auto lo
iface lo inet loopback

auto vmbr0
iface vmbr0 inet static
address 194.58.88.xxx
netmask 255.255.255.0
gateway 194.58.88.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

auto vmbr1
iface vmbr1 inet static
address 192.168.100.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.100.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.100.0/24' -o vmbr0 -j MASQUERADE
# Проброс порта 65022 на порт 22 виртуалки 192.168.100.5
post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 65022 -j DNAT --to 192.168.100.5:22
post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 65022 -j DNAT --to 192.168.100.5:22
# Проброс порта 8080 на порт 80 виртуалки 192.168.100.5
post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to 192.168.100.5:80
post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to 192.168.100.5:80
# Проброс порта 65122 на порт 22 виртуалки 192.168.100.3
post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 65122 -j DNAT --to 192.168.100.3:22
post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 65122 -j DNAT --to 192.168.100.3:22
EOF


# Установим DHCP-сервер
$ apt-get install isc-dhcp-server

# Разрешим автозапуск
$ systemctl enable isc-dhcp-server.service

# Создадим конфиг
$ cat > /etc/dhcp/dhcpd.conf << EOF
default-lease-time 3600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option routers 192.168.100.1;
option domain-name-servers 8.8.8.8, 8.8.4.4;

subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.2 192.168.100.254;
}
EOF

# Поправим дефолтные настройки интерфейса
$ sed -i 's/^INTERFACES=.*/INTERFACES="vmbr1"/g' /etc/default/isc-dhcp-server

# Запустим сервис
$ systemctl start isc-dhcp-server.service



*** virtio drivers