Extra: according to chatgtp 😀
this also can be achieved using VXLAN setup
Below is this VXLAN setup ( did not tried or experiment this – just for extra information )

Alright — here’s the VXLAN version of your setup.
VXLAN is nice because it uses UDP (default port 4789), which almost always passes through firewalls/NAT, and it’s still Layer 2 capable like gretap.

Network Recap
Provider A (Debian VM) Provider B (Proxmox Node)
Public IP: 38.248.1.150 Public IP: 185.17.1.2
/24: 38.248.1.0/24 (lives in Provider A)
/24 Gateway: 38.248.1.1
Goal: VMs in Provider B keep using their old IPs + gateway over the tunnel

On Provider A (Debian VM)

Install bridge utilities

apt install bridge-utils iproute2

Create VXLAN interface (ID can be any number, must match both sides)

ip link add vxlan100 type vxlan id 100 \
dev eth0 \
remote 185.17.1.2 \
dstport 4789 \
local 38.248.1.150 \
ttl 255

Bring it up with smaller MTU (VXLAN adds ~50 bytes)

ip link set vxlan100 up mtu 1450

Create a bridge for your public NIC + VXLAN

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 vxlan100

Move your IP from eth0 to the bridge

ip addr flush dev eth0
ip addr add 38.248.1.150/24 dev br0
ip link set br0 up
ip route add default via 38.248.1.1


On Provider B (Proxmox Node)
Edit /etc/network/interfaces:

auto vxlan100
iface vxlan100 inet manual
pre-up ip link add vxlan100 type vxlan id 100 \
dev eth0 \
remote 38.248.1.150 \
dstport 4789 \
local 185.17.1.2 \
ttl 255
up ip link set vxlan100 up mtu 1450
post-down ip link del vxlan100

auto vmbr2
iface vmbr2 inet manual
bridge_ports vxlan100
bridge_stp off
bridge_fd 0


! Do not assign the /24 to vmbr2. This bridge is purely for the VMs.

On a Migrated VM in Provider B
Same config as if it were still in Provider A:

IP: 38.248.1.152
Netmask: 255.255.255.0
Gateway: 38.248.1.1

Firewall / Networking Notes
Allow UDP/4789 in both directions (between 38.248.1.150 ↔ 185.17.1.2).

MTU must be reduced to ~1450 (or lower if path MTU is smaller).

Some providers have “anti-MAC spoofing” — if so, you may need to request that they disable it for the VXLAN tunnel endpoints.

Testing
On Provider B:

bridge link show
Should show vxlan100 as a port in vmbr2.

From the migrated VM in Provider B:

ping 38.248.1.1
If it works, you’ve got transparent L2 connectivity over VXLAN.

GRE vs VXLAN Quick Comparison
Feature GRE/gretap VXLAN
Layer 2 capable gretap only Yes
Encapsulation Protocol 47 (GRE) UDP
Likely to pass firewalls Lower Higher
Overhead ~24 bytes ~50 bytes
MTU impact Moderate Slightly more

for not to mess up with the current production system proxmox A, I created a new debian Vm in proxmox A and set up the GRE tunnel between this VM and new Proxmox B node on provider B (New proxmox node is empty)


Provider A (Debian VM) Public IP: 38.248.1.150 /24: 38.248.1.0/24 (in Provider A) /24 Gateway: 38.248.1.1 (Provider A) Provider B (Proxmox Node) Public IP: 185.17.1.2 Gateway: 185.17.1.1

On Provider A (Debian VM)

# Install bridge utils if missing
apt install bridge-utils

# Create gretap tunnel
ip link add gre1 type gretap local 38.248.1.150 remote 185.17.1.2 ttl 255

# Bring tunnel up
ip link set gre1 up mtu 1450

# Create a bridge for the tunnel + upstream NIC
brctl addbr br0
brctl addif br0 ens18   # eth0 is your public interface in Provider A
brctl addif br0 gre1

# Assign Provider A’s public IP to the bridge (so Debian VM still works)
ip addr flush dev ens18
ip addr add 38.248.1.150/24 dev br0
ip link set br0 up
ip route add default via 38.248.1.1

On Provider B (Proxmox Node)
edit /etc/network/interfaces

auto gre1
iface gre1 inet manual
    pre-up ip link add gre1 type gretap local 185.17.1.2 remote 38.248.1.150 ttl 255
    up ip link set gre1 up mtu 1450
    post-down ip link del gre1

auto vmbr2
iface vmbr2 inet manual
    bridge_ports gre1
    bridge_stp off
    bridge_fd 0
    mtu 1476 # see below for extra notes

end edit and reboot


Migrate a VM to Provider A to Provider B
Migrated VM network settings – keep everything intact and original


IMPORTANT NOTE:

Because GRE uses more encapsulation overhead.
Lower the MTU in Provider B side
I set the MTU values as below and seems like working (may need a little bit more tweaking)

Provider B Proxmox node set vmbr2 MTU 1476 – already setup in /etc/network/interfaces
On Proxmox node side: Provider B Migrated VM: set net0 network device MTU 1400


EXTRA: Mandatory Tests:

From Migrated VM with ip address 38.248.1.152

 Host                             Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 38.248.1.1                     0.0%    11    1.3   1.2   1.0   1.8   0.2
 2. 62.113.192.83                  0.0%    11    1.5   1.6   1.2   2.0   0.2
 3. 62.113.192.91                  0.0%    11    1.1   1.4   1.1   1.8   0.2
 4. 80.150.168.241                 0.0%    11    2.3   2.2   1.8   2.4   0.2
 5. 62.157.248.2                   0.0%    11    1.3   1.5   1.3   1.8   0.2
 6. 212.156.101.219                0.0%    11   48.0  47.9  47.6  48.1   0.1
 7. 81.212.31.191                 20.0%    11   48.1  48.2  47.9  48.4   0.2
 8. 81.212.247.98                  0.0%    11   58.2  58.4  58.1  58.9   0.2
 9. 81.212.246.109                 0.0%    11   58.9  59.0  58.7  59.2   0.2
10. 195.175.103.254                0.0%    10   56.4  57.8  56.3  68.5   3.8
11. (waiting for reply)
12. 198.68.73.68                   0.0%    10   62.1  62.7  60.7  65.0   1.3

From My own office connection to Migrated VM

 Host                           Loss%   Snt   Last   Avg  Best  Wrst StDev
1. 192.168.88.1 0.0% 13 0.3 0.3 0.2 0.3 0.0
2. (waiting for reply)
3. 172.25.16.13 0.0% 13 9.3 8.5 7.0 11.5 1.5
4. 195.33.217.229 0.0% 12 13.3 13.3 12.5 15.1 0.7
5. 10.40.174.73 0.0% 12 14.0 13.9 12.3 15.2 0.8
6. (waiting for reply)
7. (waiting for reply)
8. (waiting for reply)
9. 89.221.34.189 0.0% 12 55.8 56.1 51.9 70.1 6.0
10. 62.67.110.46 0.0% 12 79.2 63.0 60.0 79.2 5.2
11. 62.113.192.66 0.0% 12 61.6 61.1 60.2 62.0 0.7
12. 38.248.1.152 0.0% 12 61.4 62.2 60.8 66.7 1.6

NOT: Hatalar var Dikkatli OL!

Pool Related Commands
# zpool create datapool c0t0d0  - Create a basic pool named datapool
# zpool create -f datapool c0t0d0 - Force the creation of a pool
# zpool create -m /data datapool c0t0d0 - Create a pool with a different mount point than the default.
# zpool create datapool raidz c3t0d0 c3t1d0 c3t2d0 - Create RAID-Z vdev pool
# zpool add datapool raidz c4t0d0 c4t1d0 c4t2d0 - Add RAID-Z vdev to pool datapool
# zpool create datapool raidz1 c0t0d0 c0t1d0 c0t2d0 c0t3d0 c0t4d0 c0t5d0 - Create RAID-Z1 pool
# zpool create datapool raidz2 c0t0d0 c0t1d0 c0t2d0 c0t3d0 c0t4d0 c0t5d0 - Create RAID-Z2 pool
# zpool create datapool mirror c0t0d0 c0t5d0 Mirror c0t0d0 to c0t5d0
# zpool create datapool mirror c0t0d0 c0t5d0 mirror c0t2d0 c0t4d0 - disk c0t0d0 is mirrored with c0t5d0 and disk c0t2d0 is mirrored withc0t4d0
# zpool add datapool mirror c3t0d0 c3t1d0 - Add new mirrored vdev to datapool
# zpool add datapool spare c1t3d0 - Add spare device c1t3d0 to the datapool
# zpool create -n geekpool c1t3d0 - Do a dry run on pool creation

Show file system info
# zfs list - List all ZFS file system
# zfs get all datapool - List all properties of a ZFS file system

Mount/Umount Related Commands
# zfs set mountp oin t=/data datapool/fs1 - Set the mount-point of file system fs1 to /data
# zfs mount datapool /fs1 - Mount fs1 file system
# zfs umount datapool /fs1 - Umount ZFS file system fs1
# zfs mount -a - Mount all ZFS file systems
# zfs umount -a - Umount all ZFS file systems

Import/Export Commands
# zpool import - List pools available for import
# zpool import -a - Imports all pools found in the search directories
# zpool import -d - To search for pools with block devices not located in /dev/dsk
# zpool import -d /zfs datapool - Search for a pool with block devices created in /zfs
# zpool import oldpool newpool - Import a pool originally named oldpool under new name newpool
# zpool import 3987837483 - Import pool using pool ID
# zpool export datapool - Deport a ZFS pool named datapool
# zpool export -f datapool - Force the unmount and deport of a ZFS pool

Clone Commands
# zfs clone datapool/ fs1 @10 jan2014 /clone s/fs1 - Clone an existing snapshot
# zfs destroy datapool/ fs1 @10 jan2014 - Destroy clone

Show Pool Information
# zpool status -x Show pool status
# zpool status -v datapool - Show individual pool status in verbose mode
# zpool list - Show all the pools
# zpool list -o name,size - Show particular properties of all the pools (here, name and size)
# zpool list -Ho name - Show all pools without headers and columns

File-system/Volume related commands
# zfs create datapool /fs1 - Create file-system fs1 under datapool
# zfs create -V 1gb datapool/ vol01 - Create 1 GB volume (Block device) in datapool
# zfs destroy -r datapool - destroy datapool and all datasets under it
# zfs destroy -fr datapool /data - destroy file-system or volume (data) and all related snapshots

Set ZFS file system properties
# zfs set quota=1G datapool /fs1 - Set quota of 1 GB on filesystem fs1
# zfs set reserv ati on=1G datapool /fs1 - Set Reservation of 1 GB on filesystem fs1
# zfs set mountpoint=legacy datapool/ fs1 - Disable ZFS auto mounting and enable mounting through /etc/vfstab.
# zfs set sharen fs=on datapool /fs1 - Share fs1 as NFS
# zfs set compression=on datapool /fs1 - Enable compression on fs1
zfs set record size=[ size] pool/data set /name - 
Set Dataset Record Size (Size should be a value like 16k, 128k, or 1M etc.)
zfs get recordsize pool/data set /name - Get Dataset Record Size

ZFS I/O performance
# zpool iostat 2 - Display ZFS I/O Statistics every 2 seconds
# zpool iostat -v 2 - Display detailed ZFS I/O statistics every 2 seconds

ZFS maintenance commands
# zpool scrub datapool - Run scrub on all file systems under data pool
# zpool offline -t datapool c0t0d0 - Temporarily offline a disk (until next reboot)
# zpool online - Online a disk to clear error count
# zpool clear - Clear error count without a need to the disk

Snapshot Commands
# zfs snapshot datapool/ fs1 @12 jan2014 - Create a snapshot named 12jan2014 of the fs1 filesystem
# zfs list -t snapshot - List snapshots
# zfs rollback -r datapool/ fs1 @10 jan2014 - Roll back to 10jan2014 - (recursively destroy intermediate snapshots)
# zfs rollback -rf datapool/ fs1 @10 jan2014 - Roll back must and force unmount and remount
# zfs destroy datapool/ fs1 @10 jan2014 - Destroy snapshot created earlier
# zfs send datapool/ fs1 @oc t2013 > /geekpool /fs1/oct2013.bak - Take a backup of ZFS snapshot locally
# zfs receive anotherpool/fs1 < /geekpool /fs1/oct2 013.bak - Restore from the snapshot backup backup taken
# zfs send datapool/ fs1 @oct2013 | zfs receive anotherpool/fs1 - Combine the send and receive operation
# zfs send datapool/ fs1 @oct2013 | ssh node02 "zfs receive testpool/ testfs " - Send the snapshot to a remote system node02

The Dovecot configuration is updated to block non-encrypted connections to the POP and IMAP services.

This change protects the clients from accidentally misconfiguring email applications to not use encrypted connections. The connections from localhost (not going over the network) are still allowed to not use encryption.

Backwards compatibility with insecure mode can be managed with a drop-in Dovecot configuration file. Examples:

# Allow plain-text POP/IMAP connections for Dovecot 2.4:
echo 'auth_allow_cleartext = yes' > /etc/dovecot/conf.d/insecure-auth.conf
systemctl restart dovecot

# Allow plain-text POP/IMAP connections for Dovecot 2.3:
echo 'disable_plaintext_auth = no' > /etc/dovecot/conf.d/insecure-auth.conf
systemctl restart dovecot

# Restore original configuration (secure):
rm -f /etc/dovecot/conf.d/insecure-auth.conf
systemctl restart dovecot

plesk icin yazilmis ama olsun

Determine the source IP addresses and numbers of the connections:

ss -tan state established | grep ":80\|:443" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | sort -nr

Find the domains which are currently under attack:

for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n "$log "; tail -n10000 "$log" | grep -c 203.0.113.2; done | sort -n -k2

Check the number of connections in SYN_RECV state (possible syn-flood):

ss -tan state syn-recv | wc -l

If there are several IP addresses in Plesk, determine the target IP address under attack:

netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1

It is possible that there are not many established connections to the web server, however, there might be a lot of requests that were successfully served by nginx and transferred to Apache and at this point, Apache is under attack. To track these requests do the following:

Navigate to /var/www/vhosts/system:

cd /var/www/vhosts/system

Generate a file requests to fetch the number of requests that were made in the last hour using the command below.

Note: As an example, 24/Jan/2022:20 will be used. Here ":20" is 8 p.m.

for i in *;do echo -n "$i "; grep '24/Jan/2022:20' $i/logs/access_ssl_log | awk '{print $1}' | wc -l;done > ~/requests

Check the generated file:

cat ~/requests | sort -k 2 -r -n | head
example.com 24549
example.net 18545
test.com 3

‼️ Block SMTP authentication on port 25 and plain-text connections improved

The Exim configuration is updated to not allow users to perform SMTP authentication on TCP port 25. This means email clients will not be able to use port 25 for sending emails. TCP port 25 will be exclusively used for communication between mail servers, and clients will have to use 587 or 465 ports.

The motivation for this change is to completely separate the mail server-to-server (MTA-to-MTA) communications from client-to-server (MUA-to-MTA) communications. This makes it easier to harden the email submission security. For example:

  • TCP ports 587 and 465 could use custom firewall rules to only allow sending emails from trusted networks.
  • It is no longer possible to brute-force the email credentials over the TCP port 25.

In addition to blocking SMTP authentication on port TCP 25, Exim will no longer allow SMTP authentication over plain-text connections. This change protects the clients from accidentally misconfiguring email applications to not use encrypted connections. Use of encryption is critical because SMTP authentication uses literal user passwords without any hashing. Accessing SMTP over plaintext at least once is enough for the user credentials to be stolen. There is an exception made to allow not using encryption for internal connections over localhost.

This is a big change that might affect servers and clients that relied on authentication always being available. This feature is implemented in a way to allow server administrators to restore the old behaviour in a simple way.

The authentication availability on SMTP ports is controlled by the AUTH_ENABLE_CONDITION macro in the /etc/exim.variables.conf file. The new default policy is:

AUTH_ENABLE_CONDITION = ${if and { {!eq{$interface_port}{25}} { or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} } } }}

The policy can be changed by setting it to a different value in the /etc/exim.variables.conf.custom file and rebuilding the Exim configuration with the da build exim_conf command.

Examples:

# Use old (insecure) SMTP authentication policy, authentication always available
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = yes' >> /etc/exim.variables.conf.custom
da build exim_conf

# Block SMTP authentication on plain-text connections, but allow it to work on all TCP ports
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = ${if or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} }}' >> /etc/exim.variables.conf.custom
da build exim_conf

# Block SMTP authentication on TCP port 25, but allow it on plain-text connections on on other ports
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = ${if !eq{$interface_port}{25}}' >> /etc/exim.variables.conf.custom
da build exim_conf

# Use the new (secure) DirectAdmin SMTP authentication policy
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
da build exim_conf

Note: It is highly recommended to use the new default SMTP authentication policy. The mechanism to revert to the old policy should only be used temporarily until all the clients are reconfigured to use SMTP submission ports (587 or 465) and encryption.

#

cok geriden gelen

nano /etc/shells >

/sbin/nologin

root@a~ # usermod -s /sbin/nologin myuser

0- durum nasil su an ? kim ne kullaniyor?
egrep php[1,2,3,4]_select= /usr/local/directadmin/data/users/*/domains/*.conf

1- once bir sey olmasin aman mevcut durumu yedekle
tar czvf ~/domain-conf-backup.tgz /usr/local/directadmin/data/users/**/domains/*.conf

2- Force PHP to be version 1 if no default is set
grep -rF -L php1_select /usr/local/directadmin/data/users/**/domains/*.conf | xargs sed -i.step1 '$ a php1_select=1'

3- /usr/local/directadmin/options duzenle diledigin gibi
cd /usr/local/directadmin/custombuild
./build set php1_release 8.0
./build set php3_release 7.4
./build php

4- Now you want to move all the users who used php1 to use php3, so, you execute this script:
#!/bin/sh
for i in `ls /usr/local/directadmin/data/users/*/domains/*.conf`; do
{
       if ! grep -q ^php1_select $i; then
               echo php1_select=3 >> $i
               continue
       fi

       perl -pi -e "s/^php1_select=1/php1_select=3/" $i
};
done
exit 0

5- Update config files:
cd /usr/local/directadmin/custombuild
./build update
./build rewrite_confs