New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
has anyone gone through this
This discussion has been closed.
Comments
What have user done and thinks it's enough?
Posted a support reply:
-slow clap-
the destination ip is the same as my server
I would be attacking myself with my own server and that is in the log
It's a log from server that is getting attacked, the IP you mention is the SOURCE OF ATTACK, not
destination.Did you even read that message?
are the same are mine
I believe RackNerd only showed you the email they received regarding the abuse report. In other words, fail2ban logs were not recorded on your VPS and someone who was attacked from your VPS sent it to RackNerd.
@dustinc Is my understanding wrong?
are the same ip source attack and destination
So your VPS is attacking your VPS? That's some high-level stuff ...
Yes, everyone here is wrong and can't read those screenshots.
No one here know how this works, this is not VPS related forum.
RackNerd support is wrong.
Abusix is wrong.
You, that can't even type a sentence in English and have no idea what is doing in terms of VPS, is definitely right and rest of world are idiots and they just want to punish you for being such good person.
I give up, don't open the picture below.
yes they didn't even have the nerve to look at the logs check or see the bandwidth output
Your VPS is like Frankenstein -- you gotta kill the monster
Hi @tototo -- In this case, Fail2Ban logs was just one of several abuse complaints (there were multiple abuse complaints open under the OP's account). We relayed each and every abuse complaint we received concerning this IP address over to the customer. With all due respect, I believe that the OP is choosing to only show certain selections, in this case, one specific abuse ticket out of the many on his account.
Some of the other abuse complaints in his account show more specific details including which IPs his server was attacking. OP should look at all of the abuse complaints collectively in order to properly troubleshoot this, instead of cherry picking one specifically. For example, abuseipdb.com shows that the IP address has been reported a total of 249 times from 129 distant sources.
We understand this may not be the OP's intention, but not receiving replies/resolutions to all of the abuse complaints can result in suspension. However, suspensions are easily reversible assuming the client wishes to take the direction to resolve the matter and communicate with us. We of course understand that abuse can and will happen, and work with our customers diligently. But if they become excessive, action may have to be taken to prevent liability (and also to protect the integrity of our network) as we are not a safe harbor.
Well I don’t like PurpleDaddy because of his history of scamming people.
But in this case provider is absolutely right. They did what every host needs to do against customer like OP.
I with 12 dedicated servers would use a vps of 2gb of ram to make brute force attack? what is its capacity to do this?
No one cares how many servers you have with other providers.
So provider did absolutely right thing
I would simply recommend you to accept your mistakes and say sorry. Ask them if they can refund you if possible and move on.
OP doesn't know IT 101 and he manages 12 Dedicated servers
I replied they said it would be no problem
wtf. Ban him, and go on. Da fq u trying to resolve it?
What to resolve? That he is hosting weird software and you already said about it to him?
That you trying to help him, and instead of help, he post topics "how bad provider are" because you suspend him after 249 WARNINGS/ALERTS that something wrong?
Serious? wtf... I dont understand that.
I do understand, that shit can happen, and VPS can be hacked. Okay.
But ignoring such stuff, and make guilt provider for that that in responsibility of client - a wrong thing. I do not protect RackNerd here, but this stuff really crazy.
You forgot to mention that this is within last ~7 days as first report there is from March 29th 2023
249 abuses I wasn't even a customer of the company and they just decided to suspend the server after the 2 abuses not answered as they say to which I replied and the team said it wouldn't be a problem
Thanks for your explanation! At least I don't have to worry about my VPS being suspended
OP, please ask chatGPT to explain to you what happens to a compromised VM and what damage it can cause to others. It's pointless for us to try to explain it, you keep going in circles.
i have gone through digesting a pizza
honestly takes time but works out
Idk but i want the stuff OP is smoking.
Do you have an explanation for why your IP is still the origin for these reports at https://www.abuseipdb.com/check/198.46.131.171 within the last 24 hours?
Something is trying to log into those external servers from your VPS using usernames such as carlos2, gpu01, bar, redmine, etc.
Perhaps you can start logging all packets destined for outgoing destination port 22 to identify the offending process and associated user.
Also I recommend that you harden your other 12 dedis with
PermitRootLogin no.this is so hilarious the server has been down for 12 hours
and has an attack record with 7 hours with the server off
since the mess started 12 hours later when suspended the server it's been off
and continues to have non-stop reports
this network is compromised or OS image
Its not real-time tracking of how many abuse complaints you can generate at a given time. The honeypots or victims of your ssh bruteforce attempts can be delaying on sending the complaint or from the service (abusix, abuseipdb etc).
Incorporate in your 10 hours of setup time a chance to harden your server instead of sitting around crying on how you can't address abuse complaints. These complaints have been going on for 9 days, plenty of time to address the issue so your VM isn't doing the dirty deeds of someones botnet.
and how do you explain to me the traffic that does not exist?
and the output of syslog logs that do not have ssh output???
there are abuses on the ip since I wasn't even a customer
either they advance the logs a lot
or too late
I think they are putting coal in machines due to the lack of energy in Europe
>
What do you mean it does not exist? Are you telling me that every source listed here is fake? Do you think all these people are just saying they got a bruteforce from this IP just because they don't like you or something - or do you think the provider is making bogus complaints because reasons?