New on LowEndTalk? Please Register and read our Community Rules.
OpenVZ sending outbound DDOS right after reinstall OS
Several of my VM from different provider has this issue. I reinstall OS and let VM stay there without even login to my VM. And then ranging from few hours to few days later, you will get a suspension notices says the VM is sending outbound attack. Is it OpenVZ vulnerability? It happens to me at more than one providers
Don't use "1234" for the root password.
Don't use root passwords at all, configure key auth right after installing.
You need to check they install doesn't have DNS recursion 'yes' by default, otherwise you're likely being used in a DNS amplification attack.
use non dictionary not simple password, or setup ssh key access instead password. you may try scanning your OS using programs like rkhunter, chrootkit
it has to be a dns amplification
you need to check on that
Why a provider would have BIND in the template to begin with is beyond me...
It's more likely he's root passwords are easy and the VMs broken into.
This. It happened to me.
The first thing you should do is change the SSH port to something other than 22, this will prevent 99% of automated attacks not targeting you specifically.
This is a sysadmin vulnerability.
If you're not even going to take the most basic precautions after installing any os on an internet-facing box, I'd feel more comfortable if you stopped using the same internet I use for work & play.
The first thing that raises suspicion is that you say this has happened with multiple providers. Is there some higher level issue to address, such as a compromised email password?
If you're not touching the VMs and this is happening, root should still have a randomly generated password. Of course "random" could be bit dubious, but it seems fairly unlikely someone is going to put the time in to crack the passwords, rather than just pick an easier target (lord knows, there are plenty).
this happen to some of my customer also . they all leave the password like pass123 or [email protected]$$123 so easily get compromised.
Insecure Passwords or Open Resolvers.
We also experienced that some of our customer. We investigated it (because if it have a bug in OpenVZ or SolusVM, etc it will be catastrophic), but all case user use weak passwords, and bot's going into VPS using SSH.
how can bot found the ip?
Because people have lists of IP's and crawlers hit IP's by the thousands every minutes looking for open ports.
Y'know since IPv4's run from 220.127.116.11 to 255.255.255.255.
Simple, people just scan ip ranges for open ssh ports
Disable root login and use sudo instead, and install fail2ban, installing it and leaving it without any securing is pretty negligent.
My point is not that I use unsecured stuff. I know how to secure my server. However, for providers that use templates that has so many security problems. Isn't that a problem?
I don't think it's any providers job to force you to login to the system you just installed and secure it.
I am amused that you "know how to secure your server" and just can't be fucking bothered.
Pardon my french.
I got attacked by china (china ip logged in my log) and he managed to get into my server.. after that he executed some script that autmatically command my vps to send ddos.. I reinstalled my server and still got scanned by that ip and some other ips(china)..I managed to get rid of that attack by changing my ssh port and root username..
I hate Chinese IPs.... Whenever i see fail2ban log i see 95% are from China ...:(
I have to wonder why providers don't create secure templates from the word go.
It is not as if most VPS users are security experts. Security and strong passwords should be built into the template from the word go, and passwords should be automatically generated, or rejected by the ordering forms if they are not secure.
WHMCS, SolusVM, OpenVZ. and KVM template creators - this means you.
Which leads me to a question. KVM server passwords can be changed via booting into a rescue disk, chrooting, and changing the password and the sshd_config if root login is disabled
With OpenVZ and Xen if keyboard interactive login via SSH is disabled, and you forget the password to your encrypted SSH key how do you set a new key?
Does the SolusVM password reset form enable password based login in the sshd config automatically when it is used?
From my understanding, all it does is modify the values in /etc/shadow - it never actually changes your ssh configuration at all.
Though, even if you have your ssh daemon disabled you can still access your server with the console (the equivalent of using "vzctl enter")