New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
My Hetzner account has been hacked, their security is really flawed.
After being attacked, I discovered some of their vulnerabilities that could easily be abused by hackers:
- No login notification by strange IP, no confirmation via email address required.
- If a VPS is created using an ssh key, you will not receive any notification about creating a VPS, and of course when adding an ssh key to create a VPS, you will not receive any notification email.
Not receiving any email notification until the invoice is generated and I receive the invoice notification email
What you can currently do is set up 2FA on your account to protect it.
Comments
2FA and common sense is more than enough to use any system securely. Incompetence does not nulify those tools. No matter what you think.
Always enable 2FA, if and when available.
2FA is always recommended but the points made make sense too. They really should enhance the security policies. Those are standard.
Who's that guy tho. Been seeing him here and there
Are you 100% sure about this?
Too lazy to test this now, but if I recall correctly, when I was using Hetzner, I've created instances, with and without SSH keys, I still receive emails about a VPSes being created.
Just tested this. Did NOT get an email.
Thats kinda shitty ngl
Oh, just saw this
2FA is not a magic bullet. Even without 2FA, a proper password would be enough. Ofcourse there needs to be rate limiting implemented server side to prevent bruteforce attacks. Without rate limiting, 2FA is insecure too.
Just to note: I think Hetzner does 2fa email verification on suspicious logins, but obviously, not always
It's probably based on loads of factors to minimize unnecessary verifications while maximixing security, much like Google for example
Obviously, 2fa based on a SECOND device is better, but still
(If I recall correctly, I'm not 100 % certain about the above but I think I recall having to 2fa my email on certain occations)
And no matter this, the points do make sense, sending an email when you do stuff that can end up costing a lot of money in case the account has used maliciously should be standard
They could have compromised your computer and stole your session cookies.
No alert, no Login warning, also pretty sure you can disable these emails.
Even 2FA won't help you on that.
Talk to Hetzner, explain it, they may not bill you if you are lucky.
Not necessarily. Keyloggers would have no problem with even the most complex of passwords.
don't blame them, it's your fault
True that but if OP's computer/phone is already compromised in the first place it indicates a more serious problem.
It's not relevant to place blame on the client since Hetzner has much to lose themselves from abuse (why do you think they spend so much resources on it?)
The client might chargeback if hacked, causing fees from their payment gateway used
Or the hacker themselves might abuse the network, do illegal things, send spam, whatever, causing A LOT of pain in abuse reports and/or blacklistning
So it's definitely in their best interests to make sure to notify a user of events that could be charged for, like server creations
That's why I don't like solusvm. Email notification is not enough for security.
Using VPNs, public networks and changing devices and countries and I never got a single 2fa email from Hetzner.
I will not disable these emails because it affects my wallet directly.
It was my fault that the account was exposed, but the protection through steps to verify whether it was the right user or not was their vulnerability.
They only attacked hetzner's account, so I can't confirm that my computer was controlled.
Fortunately, SolusVM 2 has 2FA support for both admins and clients.
Unfortunately, SolusVM 2 is a trainwreck, or at least, it was when I last used it.
But nevertheless, that's probably a discussion for another thread.
Security has layers and is everyone's responsibility.
This
And, even if a certain party is 100 % responsible, every affected party takes a loss when it occurs, and the balance sheet don’t care whos fault it is
@vivucloud so you didn't have 2FA enabled? What did they do exactly? Create servers etc?
Pretty sure you could say much of the same of everyone using WHMCS and that's like every provider here. If that many are flawed, perhaps you'd be better off adjusting your expectations. It's generally best that expectations and likely reality stay fairly close to each other. Also in places where 2FA is implemented and not quickly bypassed, you generally want to have it on.
create 60 VPS with CPX51 configuration
did you notice soon? how much have they spent?
We force our users to enable the 2FA.
Experiencing a hacked Hetzner account is distressing. Reach out to Hetzner support immediately to report and resolve the issue. Security incidents can happen, but a swift response from the provider is crucial. Collaborating with their support team will help secure your account and shed light on any potential vulnerabilities for improvement.
Why the sudden necro? Did your reply add any value?
And if you lose it, what do you have to do to prove it, for example? A phone number that receives a confirmation SMS or something else? You'll never log in again. Or just the system will glitch and won't let you accept the confirmation code. These 2FA can cause more problems than good.
'Vulnerabilities' sounds like the wrong term though I understand your overall post.
This is not a 'vulnerability' though what you are suggesting can be useful.
Maybe partially a bug in sending out an email but not a 'vulnerability' especially if you're using an SSH key and not the password login system which can sometimes be bruteforced etc.
This part I do somewhat agree with and if I didn't hear about news about people bypassing 2FA, I would have assumed this is the best security you can add in addition to a long difficult password on the website.
And still then, a side door could be available for someone to bypass logins altogether.