OVH Community, your new community space.

Deactivation due to scan


freshwire
07-09-2009, 01:49
Hence a couple of iptables rules ^

Bhavic
07-09-2009, 01:24
Quote Originally Posted by Myatu
Well, it's always nice to know these "Oh, by the way..." bits of information after the fact, especially when you're using an OS distribution provided by OVH itself...

Anyway, what you can do is create your own VPN using something like OpenVPN. Give each cluster server its own private IP address in the 10.0.0.0/8 range (ie., 10.1.0.1) and connect to it using OpenVPN (this IP is in addition to the main IP, obviously)

Once you have verified that you can ping / ssh the private IPs of the clusters from the Proxmox master server over the VPN, you re-create your cluster configuration to use the private IPs instead.

This should give you better control over what happens inside your own cluster.
This is actually a good idea, Thanks! I'll give it a try when i get time. Never used OpenVPN (or any VPN actually) so it'll be great to learn.

Quote Originally Posted by monkey56657
Some of the messages in this topic are really super long. But I stand my idea. Change the port number. You can have it done in minutes
Lol, If it was that easy to change the port i would. But infact it could take hours because firstly, i have to find out how/where Proxmox's config files are kept, If the SSH port is hard-coded in, well thats a big problem, if it's a simple variable to change then ok. But then i need to go into my other 40 servers and change them all manually. (if it's even possible to change)

freshwire
06-09-2009, 23:57
Some of the messages in this topic are really super long. But I stand my idea. Change the port number. You can have it done in minutes

Myatu
06-09-2009, 19:59
"If you want to scan your servers from one of your servers you can do this but not port 22, that is forbidden without exception, and will immediately mark your server as hacked. You'll need to configure your servers to use some other port and create reverses.

Regards, Folarin."
Well, it's always nice to know these "Oh, by the way..." bits of information after the fact, especially when you're using an OS distribution provided by OVH itself...

Anyway, what you can do is create your own VPN using something like OpenVPN. Give each cluster server its own private IP address in the 10.0.0.0/8 range (ie., 10.1.0.1) and connect to it using OpenVPN (this IP is in addition to the main IP, obviously)

Once you have verified that you can ping / ssh the private IPs of the clusters from the Proxmox master server over the VPN, you re-create your cluster configuration to use the private IPs instead.

This should give you better control over what happens inside your own cluster.

Bhavic
06-09-2009, 14:25
Quote Originally Posted by Andy
Contact Oles directly, he might actually listen to this problem. oles@ovh.net. He is actually intent on fixing such issues in most cases. Don't give a story, give the facts, or he won't listen. He doesn't have time to read stories, just get straight to the point
Thanks, I will shoot him and email and will see what happens!

Andy
06-09-2009, 14:21
Quote Originally Posted by Bhavic
Don't get me wrong, I am actually VERY annoyed. I can't stress enough how many clients I've lost because of this.
But the question really is, what can i do? The answer: nothing!
customersupport is useless, even though i explained my whole situation to them, they just won't reactivate my servers..They avoid the question and every time just say why the server got deactivated..
Contact Oles directly, he might actually listen to this problem. oles@ovh.net. He is actually intent on fixing such issues in most cases. Don't give a story, give the facts, or he won't listen. He doesn't have time to read stories, just get straight to the point

Bhavic
06-09-2009, 13:21
Quote Originally Posted by wil
I just can't seem to understand why you are not more angry over this.

I have one (Trial) server with OVH and don't get me wrong, I like some of the features, but I am pi$$ed off because of the hoops I have to jump through to get VM's working and just from reading your thing that if I ever become more successful and want to get a load of machines (I was going to buy 2), they limit what I can do :S
Don't get me wrong, I am actually VERY annoyed. I can't stress enough how many clients I've lost because of this.
But the question really is, what can i do? The answer: nothing!
customersupport is useless, even though i explained my whole situation to them, they just won't reactivate my servers..They avoid the question and every time just say why the server got deactivated..

wil
06-09-2009, 12:53
I just can't seem to understand why you are not more angry over this.

I have one (Trial) server with OVH and don't get me wrong, I like some of the features, but I am pi$$ed off because of the hoops I have to jump through to get VM's working and just from reading your thing that if I ever become more successful and want to get a load of machines (I was going to buy 2), they limit what I can do :S

Bhavic
06-09-2009, 12:10
Quote Originally Posted by Myatu
I'm curious, because it shouldn't be scanning if the IPs are defined. Did you set up the cluster according to http://pve.proxmox.com/wiki/Proxmox_VE_Cluster ?
Yes we do setup the cluster like that, But i'm pretty sure that they scan the ip:22 to check if the sever is infact online, After this thread i've had 2 more servers deactivated..and got a reply (finally) to my first email to OVH about this, "Dear customer,

If you want to scan your servers from one of your servers you can do this but not port 22, that is forbidden without exception, and will immediately mark your server as hacked. You'll need to configure your servers to use some other port and create reverses.

Regards, Folarin."

All my servers also have reverse DNS's set.

Giving up hope on the previous servers i've reinstalled them (losing quite a lot of data, and with that clients)

freshwire
05-09-2009, 19:04
You could rewrite with iptables instead of changing the code

Myatu
05-09-2009, 18:45
I'm curious, because it shouldn't be scanning if the IPs are defined. Did you set up the cluster according to http://pve.proxmox.com/wiki/Proxmox_VE_Cluster ?

Bhavic
04-09-2009, 05:03
That would require changes in the proxmox code. Which i'm not sure is fesable at the moment.

freshwire
04-09-2009, 04:29
Configure the port to something other than 22 ? It might help.

Bhavic
04-09-2009, 01:19
Thanks for your reply Marks,

Basically how i understand it is that a server in the proxmox cluster will periodically scan the rest of the servers in the cluster at IP:22 to check if they're online.

Sometimes it does around 10 scans in just a few seconds (from the logs i got from OVH deactivation email). (I'm not sure how often it actually does this)

When it does this, I guess OVH's network detects this as a rogue script, meaning possibly in (normal) circumstances that the machine is hacked, and so OVH deactivate it.

Marks, Is it possible to get my 2 servers which were recently deactivated (48 hours+ now) put back into normal state so i don't have to reinstall it.
I've email customersupport@ovh.co.uk but have had no response.

They were ks369176 and ks301522.

I do hope that OVH can resolve this, Maybe in their Proxmox installation image you can change it to not scan so often or something. I'm not sure if it's possible to edit something like that.

Bhavic

marks
03-09-2009, 10:37
Could you tell me more about this Proxmox configuration? Is the Promox configured to do distributed work between your servers or something?

Please, tell me a bit more about this behaviour and the scanning hack that our systems detect so that we can do something about it.

Thanks

wil
03-09-2009, 04:31
Sorry - don't want to thread hijack... I did this and it disabled the majority of problems from happening whenever I actually wanted ping disabled, however they seem to actually do this automatically on server restart whether monitoring is off or on.

Bhavic
03-09-2009, 04:29
I do believe you can turn off monitoring. OVH Manager -> Select your server -> Server Status -> Monitoring -> Stop

This stops OVH pinging the server every so X seconds to see if it's up or not which will stop any interventions due to your server being down
Hope that helps!

wil
03-09-2009, 04:09
Sorry, not a solution but...

I am finding the same, the monitoring is getting VERY annoying, I am just on my one month business trial and I really want to use OVH, however I have already hit so many roadblocks such as no ESX support, no Hyper-V support... When I even use one of my Windows keys, it comes preinstalled with a load of rubbish..

... but even more than that, every time I try and do something custom (for example, iso boot a unattend install of Windows) if it fails, rather than just letting me try again, I keep getting a email saying along the lines of "an intervention" is taking place due to no ping"... It then stops me from trying again a netboot, reinstall or reboot for several (sometimes 5+) hours

I am wasting so much time, it is getting really annoying! What you say is really troubling as I planned on doing something similar with clustering and if they stop you doing it to your own servers... well... It's bad!

Can OVH make up their mind! Either don't interfere, or on the other hand, if you do want to become a managed service provider, could you just bung a esx cd into my server and install it for me!

Bhavic
03-09-2009, 03:52
Hi,

We i was just wondering if anyone else has the same problem as me.

I currently have over 40 servers with OVH, and i use Proxmox on the majority of them. Proxmox allows me to cluster all the servers together so i can mange them all from one web interface.

Lately, I've been getting a lot of my servers "deactivated due to scan" - Basically OVH thinks that my servers are 'hacked' and are running some sort of scripts which are scanning other OVH's SSH ports (22). (But indeed my "master" node is scanning my other OVH servers in the cluster to see if they're online (i think))

But this is actually Proxmox itself, and i this this results because of the large cluster i have, and i simply cannot keep having my servers deactivated and then have to reinstall them because it's not my fault. (i have already lost a lot of clients due to this) because it causes unnecessary downtime, and some of the clients data is lost.

Does anyone have a solution to this problem, ie is there anyway to stop OVH monitoring my servers for this scanning thing or something else.

Much Appreciated,

Bhavic