Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Hosthatch.com auto suspended vps without alert
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Hosthatch.com auto suspended vps without alert

    I have order VPS with plan Storage VPS (Package #1 - 5$/m) for remote backup data via FTP. I have created many user FTP (no permission access SSH). The user for my client auto backup data remote backup via FTP (cronjob on DirectAdmin). And today, my client was report the data not transfer to remote backup. I checked VPS on https://vps.hosthatch.com/ and see VPS has been suspended without alert (although the service still marked Active). I have send ticket to support and they tell me "Your server was suspended for outgoing attacks.". the VPS just installed FTP service (don't allow anonymous login) vs password strong. How can VPS outgoing attacks? And FTP accounts can outgoing attacks?

    https://profvps.com - VPS KVM SSD (USA) /w Promo Recurring: 10OFF | Skype: hoang.truong040

    Comments

    • That's life bro.. We also suspend for outgoing attack to protect our network. They're probably doing the same.

    • @joodle VPS hosthatch.com (VPS a) just save data from other VPS (VPS b). (VPS b) transfer data via FTP to (VPS a). So, (VPS a) called "outgoing attacks".

      https://profvps.com - VPS KVM SSD (USA) /w Promo Recurring: 10OFF | Skype: hoang.truong040

    • AbdullahAbdullah Member, Provider
      edited August 2015

      The only time we notify is when it is suspended (or going to be suspended, so the user can fix the issue before) for load. We also mostly notify for incoming attacks, although there is no automated system for this so we miss it sometimes (working on a more permanent solution).

      We do not notify for outgoing attacks or servers shut down by nodewatch (for very high PPS, SMTP or SSH connections) - especially if it's a new customer with their first server, since it is either an abuser or someone who has not setup/secured their server correctly.

      Premium SSD VPS in Sweden, Norway, Austria, US, Hong Kong and Netherlands w/ DDoS protection available!

    • @jazz1611 said:
      joodle VPS hosthatch.com (VPS a) just save data from other VPS (VPS b). (VPS b) transfer data via FTP to (VPS a). So, (VPS a) called "outgoing attacks".

      Your VPS could have been breached..

    • @Abdullah I have set separate times for being not too large traffic/bandwidth. So how would you solve this issue?

      https://profvps.com - VPS KVM SSD (USA) /w Promo Recurring: 10OFF | Skype: hoang.truong040

    • It sounds to me like they have suspended the OP because they mistook high speed FTP transfers for a DDoS attack just because it was at high speed? To me sounds like someone letting an automated script make decisions and then instead of reviewing the issue just telling you what the script told them.

      I would ask them what port the attack was on and let them know your FTP port and see if it was what they saw. If so, let them know it isn't an attack but yout back-ups being transferred from one server to another. If they can't deal with that, find another host.

      my 2 cents.

      Cheers!

      Thanked by 1jazz1611

      Have an Allwinner H3 device? Android? Check out H3Droid! | Lichee Pi Zero - The 6$ SBC | #SYSarm - Get It! | Atomic Pi - $35 x86 SBC
      20+ Years IT Experience in Linux/Windows Hosting, Administration and Development

    • elgselgs Member

      If you knew you were not doing bad things. Check if your root password is too simple and is compromised.

    • jazz1611jazz1611 Member
      edited August 2015

      @TheLinuxBug the VPS client vs VPS backup same Los Angeles. i think that possible but will not make a attacks.

      @elgs i told on topic, the password is strong.

      https://profvps.com - VPS KVM SSD (USA) /w Promo Recurring: 10OFF | Skype: hoang.truong040

    • AbdullahAbdullah Member, Provider

      @jazz1611 said:
      Abdullah I have set separate times for being not too large traffic/bandwidth. So how would you solve this issue?

      You are more than welcome to use the assigned bandwidth at any part of the day. There is no issue here for us to solve. We do need to do better notifications, I agree, and we're already working on this but we cannot notify each customer who signs up and starts sending out attacks on their first server, in their first month.

      Your server was sending ~1.8Gbps of TCP traffic to port 80 of a chinese IP address. Traffic shaping was not enabled or it would be limited to 1Gbps. I'll send the logs to your ticket along with a refund so you can move to a better provider.

      Thanked by 1doughmanes

      Premium SSD VPS in Sweden, Norway, Austria, US, Hong Kong and Netherlands w/ DDoS protection available!

    • AbdullahAbdullah Member, Provider
      edited August 2015

      @TheLinuxBug said:
      It sounds to me like they have suspended the OP because they mistook high speed FTP transfers for a DDoS attack just because it was at high speed? To me sounds like someone letting an automated script make decisions and then instead of reviewing the issue just telling you what the script told them.

      I would ask them what port the attack was on and let them know your FTP port and see if it was what they saw. If so, let them know it isn't an attack but yout back-ups being transferred from one server to another. If they can't deal with that, find another host.

      my 2 cents.

      Cheers!

      Sorry but you are wrong. I am the first one to admit our mistakes when it is actually our mistake. This one is not.

      1.8Gbps TCP traffic to port 80 of a chinese IP is far from backup FTP traffic.

      Thanked by 2k0nsl inthecloudblog

      Premium SSD VPS in Sweden, Norway, Austria, US, Hong Kong and Netherlands w/ DDoS protection available!

    • jazz1611jazz1611 Member
      edited August 2015

      @Abdullah you can right about that. but i have security the VPS. I hope that does not happen again and no reason to outgoing attack when I really need them for my job.

      https://profvps.com - VPS KVM SSD (USA) /w Promo Recurring: 10OFF | Skype: hoang.truong040

    • wychwych Member

      jazz1611 said: i have security the VPS

      what steps have you taken to secure your VM?

      Taking a hiatus.

    • @wych security SSH, FTP. installed CSF for block brute-force attack.

      https://profvps.com - VPS KVM SSD (USA) /w Promo Recurring: 10OFF | Skype: hoang.truong040

    • there's 2 possibilities. 1) you did the attack. 2) you let someone else do the attack, perhaps by not securing the VPS

      hosts don't want either case, hence the termination. you're lucky to get a refund. most hosts state in their T&Cs - in case of abuse, NO REFUND

      free trial zilore monitoring

    • @jazz1611 said:
      wych security SSH, FTP. installed CSF for block brute-force attack.

      No matter the security you put in place, sadly people will still try and hack into and be successful.

      I am sure HostHatch have no reason to make this up, and if they have the hard evidence to prove what they are saying, then it seems something in your security allowed someone to gain access. Either via SSH or FTP.

    • AbdullahAbdullah Member, Provider

      @Bruce said:
      hosts don't want either case, hence the termination.

      We didn't terminate, just suspended it, in case the customer needs a backup of the data on the server.

      Premium SSD VPS in Sweden, Norway, Austria, US, Hong Kong and Netherlands w/ DDoS protection available!

    • @Abdullah said:
      We didn't terminate, just suspended it, in case the customer needs a backup of the data on the server.

      I'll send the logs to your ticket along with a refund

      but you intend to

      free trial zilore monitoring

    • AbdullahAbdullah Member, Provider

      @Bruce said:
      but you intend to

      Yes, sorry I misunderstood your comment.

      Premium SSD VPS in Sweden, Norway, Austria, US, Hong Kong and Netherlands w/ DDoS protection available!

    • @Abdullah said:
      Yes, sorry I misunderstood your comment.

      my point was simply that he is lucky to be offered a refund. many won't

      Thanked by 3jazz1611 Abdullah ucxo

      free trial zilore monitoring

    • Hey should warn you before suspending it seeing that they can see the attacks when they start. They should warn you to lockdown your server if you fail to yield to the warning then suspend your server.

      #1 USA Based Hosting Provider

      Free & Paid Web Hosting | KVM SSD VPS's | Dedicated Servers | Website Design| Managed Service

    • AbdullahAbdullah Member, Provider

      @JLPHOST said:
      Hey should warn you before suspending it seeing that they can see the attacks when they start. They should warn you to lockdown your server if you fail to yield to the warning then suspend your server.

      We should let a 1.8Gbps outgoing attack continue until the customer can take action? Am I reading this correctly?

      Premium SSD VPS in Sweden, Norway, Austria, US, Hong Kong and Netherlands w/ DDoS protection available!

    • in here, someone can offer to me the Storage VPS? I don't need high configure VPS. Around 250GB DISK?

      https://profvps.com - VPS KVM SSD (USA) /w Promo Recurring: 10OFF | Skype: hoang.truong040

    • @JLPHOST said:
      Hey should warn you before suspending it seeing that they can see the attacks when they start. They should warn you to lockdown your server if you fail to yield to the warning then suspend your server.

      nodewatch does it automatically

      free trial zilore monitoring

    • @Bruce said:
      nodewatch does it automatically

      True, its just suspended the data is not lost but it needs to be checked out by the hosting company.

      #1 USA Based Hosting Provider

      Free & Paid Web Hosting | KVM SSD VPS's | Dedicated Servers | Website Design| Managed Service

    • with Gb ports on a server that's not heavily loaded, and connected to a good network, it's easy to "dos" yourself. I've had to whitelist my own VMs as just doing yum update can spike the traffic enough to suspend it.

      you have to check the logs to see what traffic is happening. and sometimes it isn't so obvious. and there's always a script kiddie smarter than you, who can hide/cloak traffic

      free trial zilore monitoring

    • jazz1611 said: in here, someone can offer to me the Storage VPS? I don't need high configure VPS. Around 250GB DISK?

      Get a product at OVH if you are not smart enough to secure your server. They will prevent outgoing attacks for you. Their DDoS-filters work both ways.

      Thanked by 1vimalware

      tsdns.io - free, redundant, DDoS-protected TSDNS

    • FlamesRunnerFlamesRunner Member
      edited August 2015

      Why do you have a root password?

      Any decent minded person would use private key authentication.

      Let alone even allowing the root account to be used in the first place!

      wget https://s.flamz.pw/dl/bench.sh && bash bench.sh

      curl https://s.flamz.pw/analytics/bench/stats.php

    • FlamesRunnerFlamesRunner Member
      edited August 2015

      Too bad Nodewatch can't nullroute on attacks instead of suspend, would probably be better in the long run anyway IMO. (since you need the DC for that)

      wget https://s.flamz.pw/dl/bench.sh && bash bench.sh

      curl https://s.flamz.pw/analytics/bench/stats.php

    • AbdullahAbdullah Member, Provider

      @FlamesRunner said:
      Too bad Nodewatch

      To clarify - this was not nodewatch. The customer had a KVM server.

      Premium SSD VPS in Sweden, Norway, Austria, US, Hong Kong and Netherlands w/ DDoS protection available!

    • Ah, Nodewatch doesn't support KVM, so.... I guess you were just doing your job, so yeah.

      wget https://s.flamz.pw/dl/bench.sh && bash bench.sh

      curl https://s.flamz.pw/analytics/bench/stats.php

    • someone can offer to me the Storage VPS? I don't need high configure VPS. Around 250-500GB DISK with annually?

      https://profvps.com - VPS KVM SSD (USA) /w Promo Recurring: 10OFF | Skype: hoang.truong040

    • komputerkingkomputerking Member, Provider

      Well, most likely the situation is that you are trying to run a legit service, but the security no your VPS had some issues, and one of the people who signed up found an exploit and gained access and ran malicious scripts.

      A lot of the times, providers run services to protect against attacks, or find attacks that are automated and suspend them if located. I would contact your provider and ask for some additional information, and ask them if they can assist you with preventing that in the future.

      Generally, they will have dealt with a situation like yours numerous times, and will have advice on how to prevent, or how to secure, or point you in the right direction.

    • If you weren't hacked, it was probably a service on your server being used in a reflection attack.

      This signature wasted 121 bytes of your data allocation.

      https://nixstats.com/report/56b53d6465689e44598b4567

    • WilliamWilliam Member, Provider

      Their nodewatch seems to be configured pretty solid, my server in HK did ~300Mbit few days long with a lot of PPS and i was never suspended.

      Thanked by 1vimalware
    • @William said:
      Their nodewatch seems to be configured pretty solid, my server in HK did ~300Mbit few days long with a lot of PPS and i was never suspended.

      HK Openvz?

      All discounts will be used to providing hosting and support for novice and female webmasters

      Yvonne Lu, Co-Founder of Lunadream Foundation telegram:minmemory

    • WilliamWilliam Member, Provider

      Yep.

    • I just ordered HK OpenVZ from them and login afterwards. It already have some failed login attempts on SSH on my first login.

    • I've had that happen every where.

      Have I mentioned how much I hate auto correct recently?

    • @databits said:
      I just ordered HK OpenVZ from them and login afterwards. It already have some failed login attempts on SSH on my first login.

      Welcome to the internet.

      Favourite host in general: Ramnode (affiliate link)
      Favourite host for hourly billing/custom ISOs: Vultr ($50 free credit for new accounts, affiliate link)

    • Nevermind, I just couldn't saw it on the old OS that I used. :D Not an experienced linux user here.

    Sign In or Register to comment.