All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hosthatch.com auto suspended vps without alert
I have order VPS with plan Storage VPS (Package #1 - 5$/m) for remote backup data via FTP. I have created many user FTP (no permission access SSH). The user for my client auto backup data remote backup via FTP (cronjob on DirectAdmin). And today, my client was report the data not transfer to remote backup. I checked VPS on https://vps.hosthatch.com/ and see VPS has been suspended without alert (although the service still marked Active). I have send ticket to support and they tell me "Your server was suspended for outgoing attacks.". the VPS just installed FTP service (don't allow anonymous login) vs password strong. How can VPS outgoing attacks? And FTP accounts can outgoing attacks?
Comments
That's life bro.. We also suspend for outgoing attack to protect our network. They're probably doing the same.
@joodle VPS hosthatch.com (VPS a) just save data from other VPS (VPS b). (VPS b) transfer data via FTP to (VPS a). So, (VPS a) called "outgoing attacks".
The only time we notify is when it is suspended (or going to be suspended, so the user can fix the issue before) for load. We also mostly notify for incoming attacks, although there is no automated system for this so we miss it sometimes (working on a more permanent solution).
We do not notify for outgoing attacks or servers shut down by nodewatch (for very high PPS, SMTP or SSH connections) - especially if it's a new customer with their first server, since it is either an abuser or someone who has not setup/secured their server correctly.
Your VPS could have been breached..
@Abdullah I have set separate times for being not too large traffic/bandwidth. So how would you solve this issue?
It sounds to me like they have suspended the OP because they mistook high speed FTP transfers for a DDoS attack just because it was at high speed? To me sounds like someone letting an automated script make decisions and then instead of reviewing the issue just telling you what the script told them.
I would ask them what port the attack was on and let them know your FTP port and see if it was what they saw. If so, let them know it isn't an attack but yout back-ups being transferred from one server to another. If they can't deal with that, find another host.
my 2 cents.
Cheers!
If you knew you were not doing bad things. Check if your root password is too simple and is compromised.
@TheLinuxBug the VPS client vs VPS backup same Los Angeles. i think that possible but will not make a attacks.
@elgs i told on topic, the password is strong.
You are more than welcome to use the assigned bandwidth at any part of the day. There is no issue here for us to solve. We do need to do better notifications, I agree, and we're already working on this but we cannot notify each customer who signs up and starts sending out attacks on their first server, in their first month.
Your server was sending ~1.8Gbps of TCP traffic to port 80 of a chinese IP address. Traffic shaping was not enabled or it would be limited to 1Gbps. I'll send the logs to your ticket along with a refund so you can move to a better provider.
Sorry but you are wrong. I am the first one to admit our mistakes when it is actually our mistake. This one is not.
1.8Gbps TCP traffic to port 80 of a chinese IP is far from backup FTP traffic.
@Abdullah you can right about that. but i have security the VPS. I hope that does not happen again and no reason to outgoing attack when I really need them for my job.
what steps have you taken to secure your VM?
@wych security SSH, FTP. installed CSF for block brute-force attack.
there's 2 possibilities. 1) you did the attack. 2) you let someone else do the attack, perhaps by not securing the VPS
hosts don't want either case, hence the termination. you're lucky to get a refund. most hosts state in their T&Cs - in case of abuse, NO REFUND
No matter the security you put in place, sadly people will still try and hack into and be successful.
I am sure HostHatch have no reason to make this up, and if they have the hard evidence to prove what they are saying, then it seems something in your security allowed someone to gain access. Either via SSH or FTP.
We didn't terminate, just suspended it, in case the customer needs a backup of the data on the server.
but you intend to
Yes, sorry I misunderstood your comment.
my point was simply that he is lucky to be offered a refund. many won't
Hey should warn you before suspending it seeing that they can see the attacks when they start. They should warn you to lockdown your server if you fail to yield to the warning then suspend your server.
We should let a 1.8Gbps outgoing attack continue until the customer can take action? Am I reading this correctly?
in here, someone can offer to me the Storage VPS? I don't need high configure VPS. Around 250GB DISK?
nodewatch does it automatically
True, its just suspended the data is not lost but it needs to be checked out by the hosting company.
with Gb ports on a server that's not heavily loaded, and connected to a good network, it's easy to "dos" yourself. I've had to whitelist my own VMs as just doing yum update can spike the traffic enough to suspend it.
you have to check the logs to see what traffic is happening. and sometimes it isn't so obvious. and there's always a script kiddie smarter than you, who can hide/cloak traffic
Get a product at OVH if you are not smart enough to secure your server. They will prevent outgoing attacks for you. Their DDoS-filters work both ways.
Why do you have a root password?
Any decent minded person would use private key authentication.
Let alone even allowing the root account to be used in the first place!
Too bad Nodewatch can't nullroute on attacks instead of suspend, would probably be better in the long run anyway IMO. (since you need the DC for that)
To clarify - this was not nodewatch. The customer had a KVM server.
Ah, Nodewatch doesn't support KVM, so.... I guess you were just doing your job, so yeah.