Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Hetzner Server IP blocked for MAC Abuse
New on LowEndTalk? Please Register and read our Community Rules.

Hetzner Server IP blocked for MAC Abuse

orinocoorinoco Member

My server got IP blocked fro apparent MAC abuse been recoeving this message all year, when I go to the check if problem still exists wihtout doign anything the ticket has been cleared, but now they have stepped it up a level, I have emailed them querying in the ;ast if this was being misreported if this was a hardware issue, until the least swicthed off event

Unallowed MACs:
1a:5b:cc:e1:7f:ac
66:45:cc:e1:7f:ac
d0:62:cc:e1:7f:ac

Hetzner Gateway MAC
cc:e1:7f:ac:7d:2d

This is not an HW issue. This is a software issue.

We learn his MACs on your switchport.

Server is running no VM software, it runs Quickbox and has done for 5 years without issue until this year, any help/pointers glady appreciated

Comments

  • ralfralf Member

    Have a read of this seemingly identical issue, also at Hetzner:
    https://lowendtalk.com/discussion/comment/3465779

    Thanked by 1orinoco
  • Had a read, does look similar to my issue quoted that to theire techinal team a=nd that issue appears the same to be told that it is not hardware and is software, anyone with technical knowledge able to see form what I have posted as though this does appear to be hardware and if so what are indicators? Thanks

  • kazawikikazawiki Member
    edited October 6

    Do you use a network bridge (aka vmbr0) which is bound to the ethernet?

    This seems to be virtual MAC's (no vendor found on https://macvendors.com/)

    1a:5b:cc:e1:7f:ac
    66:45:cc:e1:7f:ac
    d0:62:cc:e1:7f:ac

    Hetzner uses Juniper, so cc:e1:7f:ac:7d:2d = Juniper

    Thanked by 1orinoco
  • ralfralf Member

    Like a said, the problem seems to be identical (first 4 octets of router appearing in last 4 octets of claimed spoofed addresses). The other thread, Hetzner replaced the hardware, swapping the disk out into an "identical" machine and all that thread's OP's problems went away. I suggest you try asking for the same, maybe you can also contact that thread OP to get their ticket details so you can add that to your ticket.

    Thanked by 1orinoco
  • orinocoorinoco Member
    edited October 6

    Fantastic thanks really appreciate the help and info, no bridging bound to the ethernet

  • I didn't update it on let, but Hetzner actually replaced my server 3 times :D It was all due to the same MAC address issue.

    May I know what motherboard do you have? All the ones that had problems we're all MSI MS-7816.

    I'm on my third server that got a Xeon E3-1246 v3 instead of a i7 4770 (still the same motherboard) and nothing so far.

  • NeoonNeoon Member, Community Contributor

    @datanomi said:
    I didn't update it on let, but Hetzner actually replaced my server 3 times :D It was all due to the same MAC address issue.

    May I know what motherboard do you have? All the ones that had problems we're all MSI MS-7816.

    I'm on my third server that got a Xeon E3-1246 v3 instead of a i7 4770 (still the same motherboard) and nothing so far.

    Lets say, Hetzner system says you are on that switch port, but this is wrong.
    Someone else has a fucked up config but you get blamed.

    Or Hetzners system is fucked.
    If they replaced your hardware 3 fucking times, its either that or still a software issue.

  • orinocoorinoco Member
    edited October 6

    My motherboard is H87-G43 (MS-7816), any chance you can share your ticket ID via DM so I can add it to my ticket?

  • So my server has been locked again for MAC abuse as below

    Unallowed MACs:
    48:40:cc:e1:7f:ac
    70:ed:cc:e1:7f:ac
    bc:a7:cc:e1:7f:ac

    Unallowed MACs on Tuesday were
    1a:5b:cc:e1:7f:ac
    66:45:cc:e1:7f:ac
    d0:62:cc:e1:7f:ac

  • vbavba Member
  • Hetzner Online GmbH installimage

    source /etc/network/interfaces.d/*

    auto lo
    iface lo inet loopback
    iface lo inet6 loopback

    auto eth0
    iface eth0 inet static
    address 46.4.ab.cd
    netmask 255.255.255.224
    gateway 46.4.ab.ef
    # route 46.4.ab.gh/27 via 46.4.ab.ef
    up route add -net 46.4.ab.gh netmask 255.255.255.224 gw 46.4.ab.ef dev eth0

    Added an additional IP 2 years back but cancellled it after a couple of months - is this the issue?

  • ralfralf Member

    I think it'd be really interesting to see what's in these allegedly spoofed packets. If all they data is offset 2 bytes from something that makes sense, it'd strongly suggest faulty hardware on either the OP's machine or the machine that's looking for spoofed packets.

Sign In or Register to comment.