Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Hosthatch.com auto suspended vps without alert
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Hosthatch.com auto suspended vps without alert

I have order VPS with plan Storage VPS (Package #1 - 5$/m) for remote backup data via FTP. I have created many user FTP (no permission access SSH). The user for my client auto backup data remote backup via FTP (cronjob on DirectAdmin). And today, my client was report the data not transfer to remote backup. I checked VPS on https://vps.hosthatch.com/ and see VPS has been suspended without alert (although the service still marked Active). I have send ticket to support and they tell me "Your server was suspended for outgoing attacks.". the VPS just installed FTP service (don't allow anonymous login) vs password strong. How can VPS outgoing attacks? And FTP accounts can outgoing attacks?

«1

Comments

  • That's life bro.. We also suspend for outgoing attack to protect our network. They're probably doing the same.

  • @joodle VPS hosthatch.com (VPS a) just save data from other VPS (VPS b). (VPS b) transfer data via FTP to (VPS a). So, (VPS a) called "outgoing attacks".

  • hosthatchhosthatch Patron Provider, Top Host, Veteran
    edited August 2015

    The only time we notify is when it is suspended (or going to be suspended, so the user can fix the issue before) for load. We also mostly notify for incoming attacks, although there is no automated system for this so we miss it sometimes (working on a more permanent solution).

    We do not notify for outgoing attacks or servers shut down by nodewatch (for very high PPS, SMTP or SSH connections) - especially if it's a new customer with their first server, since it is either an abuser or someone who has not setup/secured their server correctly.

  • @jazz1611 said:
    joodle VPS hosthatch.com (VPS a) just save data from other VPS (VPS b). (VPS b) transfer data via FTP to (VPS a). So, (VPS a) called "outgoing attacks".

    Your VPS could have been breached..

  • @Abdullah I have set separate times for being not too large traffic/bandwidth. So how would you solve this issue?

  • It sounds to me like they have suspended the OP because they mistook high speed FTP transfers for a DDoS attack just because it was at high speed? To me sounds like someone letting an automated script make decisions and then instead of reviewing the issue just telling you what the script told them.

    I would ask them what port the attack was on and let them know your FTP port and see if it was what they saw. If so, let them know it isn't an attack but yout back-ups being transferred from one server to another. If they can't deal with that, find another host.

    my 2 cents.

    Cheers!

    Thanked by 1jazz1611
  • elgselgs Member

    If you knew you were not doing bad things. Check if your root password is too simple and is compromised.

  • jazz1611jazz1611 Member
    edited August 2015

    @TheLinuxBug the VPS client vs VPS backup same Los Angeles. i think that possible but will not make a attacks.

    @elgs i told on topic, the password is strong.

  • hosthatchhosthatch Patron Provider, Top Host, Veteran

    @jazz1611 said:
    Abdullah I have set separate times for being not too large traffic/bandwidth. So how would you solve this issue?

    You are more than welcome to use the assigned bandwidth at any part of the day. There is no issue here for us to solve. We do need to do better notifications, I agree, and we're already working on this but we cannot notify each customer who signs up and starts sending out attacks on their first server, in their first month.

    Your server was sending ~1.8Gbps of TCP traffic to port 80 of a chinese IP address. Traffic shaping was not enabled or it would be limited to 1Gbps. I'll send the logs to your ticket along with a refund so you can move to a better provider.

    Thanked by 1doughmanes
  • hosthatchhosthatch Patron Provider, Top Host, Veteran
    edited August 2015

    @TheLinuxBug said:
    It sounds to me like they have suspended the OP because they mistook high speed FTP transfers for a DDoS attack just because it was at high speed? To me sounds like someone letting an automated script make decisions and then instead of reviewing the issue just telling you what the script told them.

    I would ask them what port the attack was on and let them know your FTP port and see if it was what they saw. If so, let them know it isn't an attack but yout back-ups being transferred from one server to another. If they can't deal with that, find another host.

    my 2 cents.

    Cheers!

    Sorry but you are wrong. I am the first one to admit our mistakes when it is actually our mistake. This one is not.

    1.8Gbps TCP traffic to port 80 of a chinese IP is far from backup FTP traffic.

    Thanked by 2k0nsl inthecloudblog
  • jazz1611jazz1611 Member
    edited August 2015

    @Abdullah you can right about that. but i have security the VPS. I hope that does not happen again and no reason to outgoing attack when I really need them for my job.

  • wychwych Member

    jazz1611 said: i have security the VPS

    what steps have you taken to secure your VM?

  • @wych security SSH, FTP. installed CSF for block brute-force attack.

  • there's 2 possibilities. 1) you did the attack. 2) you let someone else do the attack, perhaps by not securing the VPS

    hosts don't want either case, hence the termination. you're lucky to get a refund. most hosts state in their T&Cs - in case of abuse, NO REFUND

  • @jazz1611 said:
    wych security SSH, FTP. installed CSF for block brute-force attack.

    No matter the security you put in place, sadly people will still try and hack into and be successful.

    I am sure HostHatch have no reason to make this up, and if they have the hard evidence to prove what they are saying, then it seems something in your security allowed someone to gain access. Either via SSH or FTP.

  • hosthatchhosthatch Patron Provider, Top Host, Veteran

    @Bruce said:
    hosts don't want either case, hence the termination.

    We didn't terminate, just suspended it, in case the customer needs a backup of the data on the server.

  • @Abdullah said:
    We didn't terminate, just suspended it, in case the customer needs a backup of the data on the server.

    I'll send the logs to your ticket along with a refund

    but you intend to

  • hosthatchhosthatch Patron Provider, Top Host, Veteran

    @Bruce said:
    but you intend to

    Yes, sorry I misunderstood your comment.

  • @Abdullah said:
    Yes, sorry I misunderstood your comment.

    my point was simply that he is lucky to be offered a refund. many won't

    Thanked by 3jazz1611 hosthatch ucxo
  • Hey should warn you before suspending it seeing that they can see the attacks when they start. They should warn you to lockdown your server if you fail to yield to the warning then suspend your server.

  • hosthatchhosthatch Patron Provider, Top Host, Veteran

    @JLPHOST said:
    Hey should warn you before suspending it seeing that they can see the attacks when they start. They should warn you to lockdown your server if you fail to yield to the warning then suspend your server.

    We should let a 1.8Gbps outgoing attack continue until the customer can take action? Am I reading this correctly?

  • in here, someone can offer to me the Storage VPS? I don't need high configure VPS. Around 250GB DISK?

  • @JLPHOST said:
    Hey should warn you before suspending it seeing that they can see the attacks when they start. They should warn you to lockdown your server if you fail to yield to the warning then suspend your server.

    nodewatch does it automatically

  • @Bruce said:
    nodewatch does it automatically

    True, its just suspended the data is not lost but it needs to be checked out by the hosting company.

  • with Gb ports on a server that's not heavily loaded, and connected to a good network, it's easy to "dos" yourself. I've had to whitelist my own VMs as just doing yum update can spike the traffic enough to suspend it.

    you have to check the logs to see what traffic is happening. and sometimes it isn't so obvious. and there's always a script kiddie smarter than you, who can hide/cloak traffic

  • jazz1611 said: in here, someone can offer to me the Storage VPS? I don't need high configure VPS. Around 250GB DISK?

    Get a product at OVH if you are not smart enough to secure your server. They will prevent outgoing attacks for you. Their DDoS-filters work both ways.

    Thanked by 1vimalware
  • FlamesRunnerFlamesRunner Member
    edited August 2015

    Why do you have a root password?

    Any decent minded person would use private key authentication.

    Let alone even allowing the root account to be used in the first place!

  • FlamesRunnerFlamesRunner Member
    edited August 2015

    Too bad Nodewatch can't nullroute on attacks instead of suspend, would probably be better in the long run anyway IMO. (since you need the DC for that)

  • hosthatchhosthatch Patron Provider, Top Host, Veteran

    @FlamesRunner said:
    Too bad Nodewatch

    To clarify - this was not nodewatch. The customer had a KVM server.

  • Ah, Nodewatch doesn't support KVM, so.... I guess you were just doing your job, so yeah.

Sign In or Register to comment.