New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
vStoike customers - I need some help
Could someone shed some light about this issue I'm having with my VM?
- Yesterday (Feb 17), my VM was down for 34 minutes from 18:21 UTC to 18:55 UTC.
- During the downtime, SolusVM was showing as "in maintenance". I am hosted at slave2-solusvm.vstoike.ru.
- sshd has a new RSA key. Timestamp for the key is Feb 17 18:06, just before maintenance. I am 100 % certain I didn't make this change.
glibc was patched within hours of the fix becoming available and the server is only hosting OpenVPN and Shadowsocks servers.
Can anyone confirm whenever they were affected by the maintenance too (specially if hosted in the same node) and if their RSA key fingerprint is also different?
Comments
I'm on a different node, but no downtime/RSA key change.
It took a long time for them to reply my email(about 2 days) and the price is 240RUB for RU citizens but 4.7USD for foreign customers...I don't think vStoike reliable subjectively:-(
@Nyr check your /etc/rc.local if it has anything which makes it re-generate the sshd key on boot. Some VMs I had were set up this way.
I have already discussed this previously with other guy here: the currency conversion was very reasonable when they launched this pricing, since then the RUB has gone downhill a lot and USD is doing good. Anyway the costs for foreign customers are higher than local so I don't really see a problem with this.
About support, I've been (mostly) a happy customer for a year and half and they had been reasonably fast for the price I'm paying. Never took them more than 12 hours to get back to me. They aren't always very helpful but it's mostly fine (again, considering the price).
They aren't awesome, but they are as good as you can get in the region for this price.
Seen this too, but not the case. I've also been running this VM for some time already.
Anyway, about this topic: I contacted support and the reply wasn't very helpful...
I can accept that the RSA key change has other explanation, but they are also denying the downtime and that's simply false. Either the support guy is incompetent or he's just lying to me.
I am fully certain that server was down for many minutes and then booted again, both external monitoring, internal logs and the unreachable VPN prove this.
I guess I need to switch ISP...
I told them about the logs, their reply:
I don't think I'm getting anything more out of this. I assume just incompetence but I'm switching ISP anyway.
for good stuff in Russia, choose ihor. but don't expect anyone replying to your ticket in English.
I'd be very curious about the ssh key change. What could justify that? Personally that would break a lot of my systems (e.g., ansible) and I'd be pissed. And really, it seems like someone was being intrusive...
If a grep -R of ssh-key (either in /etc or in /) doesn't show anything, then if they just copied something into place you'd probably never see it other than finding a different key and a different timestamp.
I've never seen anything like that...seems dodgy.
I know them but will use Selectel for this.
Nothing that I can think of. My image was clean just with VPN software there.
Indeed. This, along with the support being... unhelpful to say at least is why I'm leaving right now.
In your place I'd do a complete file level compare to my local backup of the entire VPS, to see if anything else whatsoever was changed, aside from the SSH key. Dunno if you have such a backup.
Or for the simplest of things, at least check the output of
last
, and the bash history of the root user.Although useless in your case, but still relevant to the topic, Tripwire and AIDE are good tools in detecting system intrusion.
Basically they store the digest of every file in your system and notice you if there are any differences detected on subsequent runs.
Haven't touched them in a while though (since 2008 maybe), not sure if they're available for your OS.
EDIT: Oh wow, there's even a DO tutorial on Tripwire which surfaced while I was googling for the projects' status.
debsums
also can check this, and all digests are included by default in Debian (i.e. it does not need to be set up before the event). However it will only detect "changed" for all config files and the like, so you won't instantly notice if the config file that you changed yourself was also changed by an intruder later.Looks like a Debian counterpart of
rpm -V
to me. Though, Tripwire and AIDE work for all files in the system.Unfortunately I don't have images from this VPS since it wasn't storing any data.
I obviously did some forensics... but discovered nothing relevant to the source of this change nor any other significant change.
Anyway, I am just setting up a new box since I can't trust this one anymore and just want to spend the weekend with some friends and not in front of the computer.
Thanks, guys.
I've received sufficiently fine support in English at Selectel. Their DO clone is also much more comfortable than vStoike, apart from no native IPv6.
I had been a Selectel customer quite a long time and am pretty happy overall
Weird for sure. During the time period mentioned my monitoring detected my VM as flapping. My SSH config was not touched however and it was NOT rebooted.
I am on slave3-solusvm.vstoike.ru
"Sorry, @Nyr, you weren't supposed to notice what my agents did to your VPS."
My VPS is also up and running. No downtime registered since the last reboot. (I'm using two monitors). No fingerprint changes.
Btw how did you obtain the hosting server address? Can't seem to find it in my control panel. Reverse lookup doesn't show the PTR for the default router IP either.
So I guess that means you consider vStoike better than Vscale? Do you think they're better enough to be worth twice the price for non-Russians?
Well for the record to login into the VPS they wouldn't need to reset its sshd host key, just add their own key into
/root/.ssh/authorized_keys
(temporarily). So it's indeed conceivable that during the "sync of the accounts(from billing)" the script which resets the newly installed templates so that each of them is unique (has its own host key) has mistakenly fired off.It's shown in SolusVM.
I was paying around the same for vStoike, so price wasn't a factor for me.
Based on my (previous) experience with vStoike's support + network, I would prefer Vscale for production. Also, they don't switch upstreams each few months.
Indeed, that's the most plausible explanation.
It's in SolusVM not the billing panel
Ah, right. I have forgotten when I opened it last time. I'm on
slave10-solusvm.vstoike.ru
then.They are actually not so good as we wish. They are growing and their goal is not quality, but quantity at this moment. Moreover they are a big DDoS target and they lack for efficient DDoS protection to my knowledge. I looked through their topic at SearchEngines and have found that many people have issues with them. How long do you use them, what is your uptime, is there any network issues?
PS
Moreover their domain name sounds a bit like a 'iwhore')