New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
VPS suspended
can anyone help me analyse this log?
my vps got suspended and the provider ask what am I hosting..
I just host a small website with regular mysql usage..and my website are up less than a few days..
I dont know what this log saying.. I censored my server ip
Comments
Looks like your VPS was sending out DoS or you got attacked by a DoS attack.
your webserver got attacked
http://stackoverflow.com/questions/11729517/how-to-stop-syn-sent
so this is just a small portion of the log, right?
all those [unreplied] means, well, server isnt (or wont) acknowledge those connections.
why do you keep trying to open 162.218.30.18:80
my server sending DoS or it got attacked by DoS??
@zevus yup.. my provider gave it to me.. I dont recognize that ip.. my website will only process some row of mysql when a user use my website
Well, something is making it open connections to 162.218.30.18:80 over and over. I'm guessing to be suspended that if we had timestamps it'd probably be at least once a second if not multiple times a second..
NetRange: 162.218.30.16 - 162.218.30.23
CustName: Shen Bifen
Address: tiyuchangdongmenailouxinghunshseying
City: hangzhoushi
StateProv: ZEJIANGSHENG
PostalCode: 310000
Country: CN
RegDate: 2013-12-17
Updated: 2013-12-17
so, if my provider boot up the server, will it send the request automatically? I dont want it to be suspended twice T_T
Reinstall!
china??? damnn... my other server got attacked before this.. they bruteforce my server..and they managed to get into it.. after that they use my server to send weird request.. and the cpu load was very heavy.. CHINA -_-
I always reinstall when something happened on my server.. because I scared fixing only last for a short time
1) Disable password authentication for SSH
2) Use SSH public key authentication for SSH only
3) Optional; disable root login via SSH (I don't see why you'd want to do this if you have SSH public key auth, when no one ever gets your private key and its passphrase everything should be fine with it being enabled)
I never use key for auth.. maybe it is the time for me to learn that
You should use SSH public key authentication with a passphrased key instead of password authentication.
Of course a passphrase less key allows you to do password less login but it's less secure. If someone steals your key (shouldn't happen when you are careful) he can login into your server if the key has no passphrase but if the key has one he first has to get the passphrase to be able to login.
Bruteforce on SSH key authentication systems is impossible as you get kicked out instantly because of a not supported authentication type (as you disabled password authentication before).
ok then.. thanks for that advice.. I think I will use in on all my server.. thanks again
The above said does of course not protect you from security holes in other programs that may allow hackers to run any code they want as root.
Always keep your system up to date and secured.
Your vps has not been hacked but got attacked by SYN FLOOD. See SYN_SENT in your log.
http://stackoverflow.com/questions/11729517/how-to-stop-syn-sent
Or have something like:
O8&0T@KyUr9yPSuVamxij8esdkPqCu1D&0IVmsj&lhsuG6ElecF8ZWnYMvL&
?If the attacker successfully attacks and exploits known vulnerabilities in the software you run on your VPS, then no amount of extra long passwords or key authentication is going to save you from the inevitable good-server-gone-bad deal. As a server owner, you need to make sure that you're keeping your software updated regularly.
I'm sorry for essentially copying @SandwichBagGhost's post, but I will give credit where it is due. They're right on the money.
Yes my vps is uptodate because I bought that server on 25/8 and install webserer and run my website on 26/8 since then, software are uptodate..
but, how the attacker found my ip or domain?? I bought the domain 3 days ago..
Did you change your ssh ports? Change your password from something capitals letters, complex and symbols. No passwd like this pass23456. You install fail2ban? Use Cloudfare or use Nginx as a reverse proxy to forward traffic to web server. Rate limit connections with iptables. Optimize your web server configuration. Make sure you a audit your logs at least weekly.
Looks like SYN flood in, default nodewatch settings pick this up and suspend. I had this issue with GVH yesterday (not their fault), when I had a massive flood of 'traffic'.
Cloudflare helped in my situation, so you could try that if you are running a website.
Yes, but what will you change from the last time you reinstalled to prevent a recurrence?
unfortunately, I still use port 22 and use dictionary password.. this is because I just bought the server and the domain.. I dont know people will found it too quick..
reinstall and apply what i need to apply to prevent that problem from happening again
from stackoverflow:
This question seems to be getting many views but yet no answer, so I decided to answer my own question for anyone looking for a solution.
T_T my provider unsuspended my server few times.. but my server keep going suspended again after few secs/mins being online T_T
btw I applied stackoverflow.com/questions/11729517/how-to-stop-syn-sent but still my vps being suspended again..
I didnt have backup of my ssl key and they only issue ssl once.. so, I would lost ssl if I reinstall T_T
Your server is compromised, you can't (shouldn't) be using that SSL key anyway. You should request it be revoked and re-issue the cert with a new key... After you reinstall your system.
Take the advice given to you already: reinstall the system and use key-based authentication for SSH. If possible, restrict SSH connections to a single IP (e.g. your home/office IP if it's static).