All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How sketchy is BuyVM?
I'm not talking about hosting controversial websites, I'm talking about hosting active hacking/bruteforcing activity. From what I've heard they sound like a pleasure to do business with as a customer, but it seems like the top sources of SSH bruteforcers on my servers are (in descending order): China; Russia and Baltic states; BuyVM customers; South American countries.
I'm talking about stuff like this (all apparently still actively bruteforcing SSH within the last hour):
https://www.abuseipdb.com/check/199.195.248.154
https://www.abuseipdb.com/check/199.19.226.145
https://www.abuseipdb.com/check/209.141.54.66
https://www.abuseipdb.com/check/107.189.1.107
https://www.abuseipdb.com/check/209.141.62.234
https://www.abuseipdb.com/check/107.189.1.180
https://www.abuseipdb.com/check/205.185.126.8
https://www.abuseipdb.com/check/205.185.127.25
https://www.abuseipdb.com/check/107.189.30.250
https://www.abuseipdb.com/check/107.189.1.174
Reporting to the registered FranTech abuse email seems to have no effect.
If these tenants were just portscanning I think reasonable people could disagree about the limits of security research or whatever, but trying to pick the locks of thousands and thousands of servers seems like where most legitimate providers would draw a line?
I'm not trying to trash BuyVM; I know they have lots of happy customers. But allowing your tenants to make headaches for other website owners... c'mon, man.
Thoughts?
Comments
I think you forgot tagging @Francisco here..
Loads of VPNs on there, loads of ddos kids on there.
But, a legitimate, and probably most popular company here.
You know the drill.
Say you host pretty much anything, we don't care.
Attract bunch of nab's to buy from you, let them do whatever, then hit them with TOS violation. It's easy money. You free the server and get to keep the money...
Weee are bizni$$ m3n's. Legit.
Where does it say BuyVM allows such activities on their servers/network?
Just pre-ban subnets if you getting crap.
With my fleet of mail servers I feel like I have a pretty good handle on which networks are spewing the most trash. I have a few BuyVM IPs on my blacklist and I’ve thrown logs at Fran a few times. Relative to size, it’s about what I’d expect of any well run network equal to it. It isn’t a frequent player in my logs for bad activity. Maybe equal to Linode.
Most compromised Wordpress sites and junk like that, can’t really be actively policed on a VPS customer unless it sets off alarms or inbound abuse complaints are received. Even when complaints are received, it’s between them and the customer to determine how much is reasonable to put up with for how long before the customer fixes it. Usually the customers don’t know how, so if it’s not a DDOS then it’s not a high priority, overly concerned recipients of brute force can and should be blocking it.
People accused me of supporting bad behavior at DO because I wouldn’t terminate grandma’s recipe blog on the spot for one brute force attack caused by a plug-in she didn’t know how to update. There’s supporting and there’s not being hostile to your paying customers at the immediate command of third parties, two different things. If you terminate WP customers on the spot you don’t fix anything, they’ll just take their compromised website to another network that won’t.
http://www.uceprotect.net/en/rblcheck.php use ASN 53667
@DP I was referring to seeing SSH bruteforce attempts from IPs that were already reported for the same activity days earlier. A TOS document doesn't mean much if it's not how a provider actually operates. Hopefully there is some explanation.
It's all on you then for allowing your SSH to be reachable by others.
I can tell you if you're using something like AbuseIPDB that basically tries to be as annoying and unhelpful as possible to force companies into purchasing API access and configuring something on their end, it's not going to be very effective.
Just look at the logs and how often abuse is reported from that first IP address.
People set this up as well as auto reports for Fail2Ban, Abusix, and others and think they're achieving something. All that ends up happening is low quality automated reports flood the provider's abuse email and it's impossible for basically any company to sift through all of them. Everyone has their own long message written that gets sent out automatically and most of them don't even bother putting the reported IP address in the email subject, and don't even monitor for emails back asking for more information. A lot of these are cc'd to like 10 other email addresses that they think might in some way be related. Every provider is going to have their own filtering set up on their end for email reports and it is highly likely that your report will end up in junk and they'd rather just rely on whatever tool they're using themselves and actual human-made reports.
@VirMach Thanks for the info. I only use the AbuseIPDB website to see if it's also affecting other people, but the reports I submitted to BuyVM were human-made (I don't have any automated reporting set up). No reply from them and the same IPs are apparently still bruteforcing.
Personally I don't care with my server got bruteforcing, just use a firewall script to add latest failed login to blocklist.. problem solved.
After being on the receiving side of such things for so long, my attitude began to shift from such a common mindset to a less common one. Why did I, or why does anyone, feel like I was owed a reply or explanation? Honest questions, and they hit me in the gut. Abuse reporters became so abusive toward me at DO that I began to question where their sense of entitlement came from, and it changed my whole mindset toward abuse reporting.
If a network is bad enough, we should all be blocking it. If the good traffic outweighs the bad, we shouldn't. But we can't plant our own expectations on someone else and expect them to follow through, we should be following through in areas we can control.
@jar That does sound like a difficult situation to be in. I have never really expected a reply unless more info was needed and don't think I have been abusive, I was mostly just hoping that abuse reports might do something.
Sounds to me like there's a bit of burying one's head in the sand here, from some folks.
Not everyone has the time/inclination to research a provider's "official" means of reporting actual abuse (bruteforcing/port scanning) and would much prefer it just to stop. In an ideal world the perp. would be "punished" too.
You talk a big game on abuse but I'd really like to see you manage abuse on a large platform where your customers have root, while maintaining your ideas of privacy and security, and while continuing to actually have a customer base to work from. In my view it’s impossible to perfectly balance security (I can’t see what you do), privacy (I won’t dig in your stuff), sales (can’t fix what isn’t on your network), and abuse resolution (not everyone is intentionally malicious, and attacking them reverts back to sales: changing the host relevant to the discussion doesn’t fix the traffic). Lucky for me I don’t run a standard hosting environment but I’ve plenty of scars from doing it.
It's not an insult, I see in you the same qualities that reality kicked out of me at scale. It's all good thoughts and well justified but reality does tend to be a bit humbling. It's a lot more economical to throw stones than to juggle them. That's why I do it, throw stones that is.
Maybe we're all crazy and you'd show us how it's done. I'd place my bets that you'd instead learn the problems that come from trying to balance your existence with the demands of third parties. But maybe I'd be wrong. Take the challenge and look for Trust & Safety roles. Be the one to challenge everyone by showing them how it's done at scale.
I for one would be delighted to see someone match all of my values with practical and economical application where I've resigned to the idea that it's presently impossible. At scale of course. Everything is easy under 10k customers.
I always wonder what would happen if people sent all their automated reports with a single line of attempted logins to government agencies. After all, the government is arguably the most paid party, with the ultimate ability to make these activities stop, and the only real authority that could punish these people. Surely they would not ignore anyone's report and deal with the abuse swiftly.
If not, perhaps one should reconsider sending a report and reserve that for extremely pressing cases. Then, providers could most likely allocate more time to those. Of course, that's not realistic either but perhaps one of my fantasies.
When a jar has enough, it pops or explodes.
Catastrophic consequences will follow. Thus, the end is nigh.
Realistically, the US gov could re-purpose the 11/8 ASN as a network of honeypots, and actually punish providers for not taking action
No one's seemed to mention that BuyVM supports tor and allows customers to host exit nodes, so that's where a good chunk of abuse complaints are going to come from. 20+Gbps of tor network traffic: https://metrics.torproject.org/rs.html#search/as:53667
The point of a honeypot is to look like a legitimate host, not be on an easily identifiable /8 that every kiddie would then know to skip.
I have about 900 domains all focused at one IP address; BuyVM is a major source of shit traffic.
Yes tor exits area part of the problem, but not all it and there is really no need to start the tor debate here again because we all know that it is something like the 95-5 rule.
The amount of shit traffic on the net is out of control and I use abuse IPDB extensively and it works well for me because I block and report for everything and block on a 0 history and up.
TOR makes up lots of the crap.
There's others that are comp'd VM's too, and probably just some bad actors (people signup on crypto, run brutes or whatever).
I watch out for what's obvious bad stuff (people signing up to blast DDOS, etc).
For what it's worth we're the... 2nd? 3rd? biggest exit node ASN out there. I think OVH/Hetzner are bigger? Maybe Online?
Francisco
Speaking of Tor: the exit node IPs are public: https://check.torproject.org/torbulkexitlist
You should easily be able to cobble together a script which blocks non-HTTP traffic from those IPs. Maybe that weeds out a bunch of oh so worrying fail2ban log records…
What about your AUP, do you enforce it?
Sure, but our own TOS/AUP states that we do our best to be friendly to TOR and not start cancelling services the minute the first case comes in.
People file abuse tickets (not just emails) and they get sent to me. I then look into the cases and act on them. Sometimes I suspend the user if it's a straight up bad actor. Sometimes I just ticket or leave a note on their account to see if it's a repeating issue.
Comp's happen all the time. We probably get a couple dozen 'XORDDOS' related compromises a week just because of poor passwords.
Francisco
The more and more I read these threads is the more I realize that I don't want to be a provider of servers. Cannot imagine the time it takes to go through accounts to determine which is legit abuse vs a compromised. Good read here especially from @jar and @VirMach
You can do it with just tcpdump.
If we have reasonable doubt about a user we suspend them with a proper note. Some users will ticket to dispute the claim and they have to prove it's legitimate.
Some never ticket which means they know they're hooped.
Francisco